Weakest Preexpectation Semantics for Bayesian Inference

Abstract

We present a semantics of a probabilistic while-language, with soft conditioning and continuous distributions, which handles programs diverging with positive probability. To this end, we extend the probabilistic guarded command language (pGCL), which draws from continuous distributions and a score operator. The main contribution is an extension of the standard weakest preexpectation semantics to support these constructs. As a sanity check of our semantics, we define an alternative trace-based semantics of the language and show that the two semantics are equivalent. Various examples illustrate the applicability of the semantics.

This work is supported by the ERC Advanced Grant Project FRAPPANT (project number 787914).

Appendices

A Basics of Measure Theory

This section presents the basic definitions of measure theory used throughout this of the paper. For a more thorough introduction to measure theory, please consult one of the standard textbooks such as [4].

Measurable Spaces

Definition 2

A \(\sigma \)-algebra \({\varSigma }\) on a set \({\varOmega }\) is a set consisting of subsets of \({\varOmega }\) which satisfies the following properties:

• \(\emptyset \in {\varSigma }\)

• If \(A \in {\varSigma }\), then \({\varOmega } \setminus A \in {\varSigma }\) (closure under complements)

• If \(A_i \in {\varSigma }\) for all \(i \in \mathbb {N}\), then \(\bigcup _{i \in \mathbb {N}} A_i \in {\varSigma }\) (closure under countable unions)

The tuple \(({\varOmega }, {\varSigma })\) of a set \({\varOmega }\) and its \(\sigma \)-algebra \({\varSigma }\) is called a measurable space. A set \(A \in {\varSigma }\) is called a measurable set.

Definition 3

A \(\sigma \)-algebra on a set \({\varOmega }\) generated by a set S of subsets of \({\varOmega }\) is the smallest \(\sigma \)-algebra containing S.

Definition 4

A countably generated \(\sigma \)-algebra on \({\varOmega }\) is a \(\sigma \)-algebra generated by a countable set of subsets of \({\varOmega }\).

Definition 5

If \(({\varOmega }_1, {\varSigma }_1)\) and \(({\varOmega }_2, {\varSigma }_2)\) are measurable spaces, the \(product \) of the \(\sigma \)-algebras \({\varSigma }_1\) and \({\varSigma }_2\) is the \(\sigma \)-algebra \({\varSigma }_1 \otimes {\varSigma }_2\) on \({\varOmega }_1 \times {\varOmega }_2\) defined as \({\varSigma }_1 \otimes {\varSigma }_2 = \sigma (\{(A_1 \times A_2\ |\ A_1 \in {\varSigma }_1, A_2 \in {\varSigma }_2 \})\). This definition extends naturally to arbitrary finite products of measures.

Definition 6

A Borel \(\sigma \)-algebra \(\mathcal {R}\) on \(\mathbb {R}\) is the \(\sigma \)-algebra generated by the set of open intervals \((a, \infty )\) for \(a \in \mathbb {R}\). A Borel \(\sigma \)-algebra \(\mathcal {R}_n\) on \(\mathbb {R}^n\) is the n-fold product of \(\mathcal {R}\).

Measures

Definition 7

A measure on the measurable space \(({\varOmega }, {\varSigma })\) is a function \(\mu : {\varSigma } \mapsto \overline{\mathbb {R}}_{+}\) such that \(\mu (\emptyset ) = 0\) and for any collection of pairwise disjoint sets \(A_1, A_2, \dots \), \(\mu (\bigcup _{i \in \mathbb {N}} A_i) = \sum _{i \in \mathbb {N}} \mu (A_i)\) (i.e. \(\mu \) is countably additive).

Definition 8

A product \(\mu _1 \otimes \mu _2\) of measures \(\mu _1\) and \(\mu _2\) on \(({\varOmega }_1, {\varSigma }_1)\) and \(({\varOmega }_2, {\varSigma }_2)\), respectively, is the unique measure on \(({\varOmega }_1 \times {\varOmega }_2, {\varSigma }_1 \times {\varSigma }_2)\) which satisfies \((\mu _1 \otimes \mu _2)(A_1 \times A_2) = \mu _1(A_1) \mu _2(A_2)\) for all \(A_1 \in {\varSigma }_1\), \(A_2 \in {\varSigma }_2\). This definition extends naturally to finite products of higher dimensions.

Definition 9

The Lebesgue measure on \((\mathbb {R}, \mathcal {R})\) is the unique measure \(\mu _L\) which satisfies \(\mu _L([a,b]) = b - a\) for all \(a, b \in \mathbb {R}\) such that \(b \ge a\). The Lebesgue measure on \((\mathbb {R}^n, \mathcal {R}_n)\) is the n-fold product of \(\mu _L\).

Definition 10

A probability measure on \(({\varOmega }, {\varSigma })\) is a measure \(\mu \) such that \(\mu ({\varOmega }) = 1\). A subprobability measure on \(({\varOmega }, {\varSigma })\) is a measure \(\mu \) with \(\mu ({\varOmega }) \le 1\).

Definition 11

A measure \(\mu \) on \(({\varOmega }, {\varSigma })\) is \(\sigma \)-finite if there exists a sequence of sets \(A_i \in {\varSigma }\) such that \(A_i \subseteq A_{i+1}\) for all i and \(\mu (A_i) < \infty \) and \({\varOmega } = \bigcup _{i \in \mathbb {N}} A_i\).

Measurable Functions and Integrals

Definition 12

A function f between measurable spaces \(({\varOmega }_1, {\varSigma }_1)\) and \(({\varOmega }_2, {\varSigma }_2)\) is measurable \({\varSigma }_1 / {\varSigma }_2\) if for all \(B \in {\varSigma }_2\), \(f^{-1}(B) \in {\varSigma }_1\). If the \(\sigma \)-algebras \({\varSigma }_1\) and \({\varSigma }_2\) are clear from the context, we will simply call f measurable.

Definition 13

For a measurable space \(({\varOmega }, {\varSigma })\), a simple function \(g :{\varOmega } -> \mathbb {R}_{+}\) is a measurable \({\varSigma } / \mathcal {R}\) function with a finite image set, which can be expressed as \(g(x) = {\varSigma }_{i=1}^{n} \alpha _i [x \in A_i]\), where \(A_i = f^{-1}(\alpha _1)\). The Lebesgue integral of a simple function \(g(x) = {\varSigma }_{i=1}^{n} \alpha _i [x \in A_i]\) with respect to a measure \(\mu \) on \(({\varOmega }, {\varSigma })\) is defined as:

$$ \int g(x)\, \mu (dx) = \sum _{i=1}^n \alpha _i \mu (A_i) $$

The Lebesgue integral of any measurable function f is then defined as the limit of integrals of simple functions pointwise smaller than f:

$$ \int f(x)\, \mu (dx) = \sup \left\{ \int g(x)\, \mu (dx) \ |\ g\ \text {simple}, g \le f \right\} $$

Theorem 3 (Beppo Levi)

Let \(f_i :X -> \overline{\mathbb {R}}_{+}\) be a (pointwise) non-decreasing sequence of positive measurable functions and let \(f = \lim _{n -> \infty } \int f_i\) be the pointwise limit of the sequence.Then f is measurable and

$$ \int f\, d\mu = \lim _{n -> \infty } f_n\, d\mu $$

The same holds for non-increasing sequences, provided that \(\int f_0\, d\mu < \infty \).

Note that the limit and supremum of a non-decreasing sequence coincide. limit and infimum of a non-increasing sequence also coincide.

Metric and Topological Spaces

Definition 14

A metric on a set \({\varOmega }\) is a function \(d :{\varOmega } \times {\varOmega } -> \overline{\mathbb {R}}_{+}\) such that \(d(x,x) = 0\) and \(d(x,y) + d(y,z) \ge d(x,z)\) for all \(x, y, z \in {\varOmega }\). The pair \(({\varOmega }, d)\) is called a metric space.

Definition 15

If \(({\varOmega }, d)\) is a metric space, \(A \subseteq {\varOmega }\) is open if every element \(x \in A\) has a neighbourhood which is completely enclosed in A, i.e. there exists \(\epsilon > 0\) such that \(\{y \in {\varOmega }\ |\ d(x,y) < \epsilon \} \subseteq A\).

Definition 16

If \(({\varOmega }_1, d_1)\) and \(({\varOmega }_2, d_2)\) are metric spaces, then a product of \(({\varOmega }_1, d_1)\) and \(({\varOmega }_2, d_2)\) is the metric space \(({\varOmega }_1 \times {\varOmega }_2, d_{12})\), where \(d_{12}\) is the Manhattan product of metrics \(d_1\) and \(d_2\), defined as

$$d_{12}((x_1, y_1), (x_2, y_2)) = d_1(x_1, y_1) + d_2(x_2, y_2).$$

This definition naturally extends to finite products of higher dimensions.

A product of topological spaces can also be defined using the standard Euclidean product metric \(d_{12}((x_1, y_1), (x_2, y_2)) =\sqrt{ d_1(x_1, y_1)^2 + d_2(x_2, y_2)^2}\), both metrics induce the same topologies. We use Manhattan products as they are easier to work with.

Definition 17

A topology on a set \({\varOmega }\) is a set \(\mathcal {O}\) of subsets of \({\varOmega }\) such that

• \(\emptyset \in \mathcal {O}\)

• \({\varOmega } \in \mathcal {O}\)

• For all \(O_1, \dots , O_n \in \mathcal {O}\), \(O_1 \cap O_2 \cap \dots \cap O_n \in \mathcal {O}\)

• If \(O_i \in \mathcal {O}\) for all \(i \in \mathbb {N}\), then \(\bigcup _{n \in \mathbb {N}} O_i \in \mathcal {O}\).

The pair \(({\varOmega }, \mathcal {O})\) is called a topological space and the elements of the topology \(\mathcal {O}\) are called open sets.

Definition 18

If \(({\varOmega }_1, \mathcal {O}_1)\) and \(({\varOmega }_2, \mathcal {O}_2)\) are topological spaces, then a product of \(({\varOmega }_1, d_1)\) and \(({\varOmega }_2, d_2)\) is the metric space \(({\varOmega }_1 \times {\varOmega }_2, \mathcal {O}_1 \times \mathcal {O}_2)\), where the product of topologies \(\mathcal {O}_1 \times \mathcal {O}_2\) is the smallest topology on \({\varOmega }_1 \times {\varOmega }_2\) which makes both left and right projections continuous. This definition naturally extends to final products of higher dimensions.

Definition 19

A function f between metric spaces \(({\varOmega }_1,d_1)\) and \(({\varOmega }_2,d_2)\) is continuous if for every \(x \in {\varOmega }_1\) and \(\epsilon > 0\), there exists \(\delta \) such that for all \(y \in {\varOmega }_1\), if \(d_1(x,y) < \epsilon \), then \(d_2(f(x), f(y)) < \delta \).

Definition 20

A function f between topological spaces \(({\varOmega }_1,\mathcal {O}_1)\) and \(({\varOmega }_2, \mathcal {O}_2)\) is continuous if for every open set \(O \in \mathcal {O}_2\), \(f^{-1}(O) \in \mathcal {O}_1\).

From Metric to Measurable Spaces

Definition 21

A topology on \({\varOmega }\) induced by a metric d is the smallest topology which contains all open sets of the metric space \(({\varOmega }, d)\).

Definition 22

The Borel \(\sigma \)-algebra \(\mathcal {B}({\varOmega }, \mathcal {O})\) is the \(\sigma \)-algebra generated by a topology \(\mathcal {O}\) on \({\varOmega }\).

Definition 23

We call the Borel \(\sigma \)-algebra on \({\varOmega }\) generated by the topology induced by the metric d the \(\sigma \)-algebra induced by d. We denote such a \(\sigma \) algebra by \(\mathcal {B}({\varOmega }, d)\).

The following lemmas are well-established results:

Lemma 11

If \(\mathcal {O}_1\) and \(\mathcal {O}_2\) are, respectively, topologies on \({\varOmega }_1\) and \({\varOmega }_2\) induced by metrics \(r_1\) and \(r_2\), and a function f between the metric spaces \(({\varOmega }_1,d_1)\) and \(({\varOmega }_2,d_2)\) is continuous, then f is also continuous as a function between topological spaces \(({\varOmega }_1, \mathcal {O}_1)\) and \(({\varOmega }_2, \mathcal {O}_2)\).

Lemma 12

If f is a continuous function between topological spaces \(({\varOmega }_1, \mathcal {O}_1)\) and \(({\varOmega }_2, \mathcal {O}_2)\) and \({\varSigma }_1\) and \({\varSigma }_2\) are the Borel \(\sigma \)-algebras on, respectively, \({\varOmega }_1\) and \({\varOmega }_2\) generated by topologies \(\mathcal {O}_1\) and \(\mathcal {O}_2\), then the function f is measurable.

Corollary 2

If \(({\varOmega }_1, d_1)\) and \(({\varOmega }_2, d_2)\) are metric spaces and f is a continuous function from \({\varOmega }_1\) to \({\varOmega }_2\), then f is measurable \(\mathcal {B}({\varOmega }_1, d_1) / \mathcal {B}({\varOmega }_2, d_2)\).

Lemma 13

If \(({\varOmega }_1, d_1)\) and \(({\varOmega }_2, d_2)\) are separable metric spaces, then for the Manhattan product \(d_{12}\) of metrics \(d_1\) and \(d_2\)

$$ \mathcal {B}({\varOmega }_1 \times {\varOmega }_2, d_{12}) = \mathcal {B}({\varOmega }_1, d_1) \times \mathcal {B}({\varOmega }_2, d_2) $$

Corollary 3

If \(({\varOmega }_1, d_1)\), \(({\varOmega }_2, d_2)\), \(({\varOmega }_3, d_3)\) and \(({\varOmega }_4, d_4)\) are separable metric spaces and f is a continuous function from \({\varOmega }_1 \times {\varOmega }_2\) to \({\varOmega }_3 \times {\varOmega }_4\) (with respect to corresponding product metrics) then f is measurable \(\mathcal {B}({\varOmega }_1, d_1) \times \mathcal {B}({\varOmega }_2, d_2) / \mathcal {B}({\varOmega }_3, d_3) \times \mathcal {B}({\varOmega }_4, d_4)\).

All the above results extend naturally to arbitrary finite products.

B Basics of Domain Theory

This section includes some basic definitions from domain theory which are required to understand the paper. For readers wanting a more complete, tutorial-style introduction, there are many resources available, including [17] and [1].

Please note that we use the notions of \(\omega \)-complete partial order and \(\omega \)-continuity, defined in terms of countable sequences of increasing values (\(\omega \)-chains), rather than the more general notions of complete partial order (requiring existence of suprema of directed sets) and continuity (requiring the given function to preserve suprema of all subsets of the domain). While \(\omega \)-completeness and \(\omega \)-continuity are technically weaker than completeness and continuity, respectively, they are sufficient for our purposes, as they allow applying the Kleene Fixpoint Theorem.

Definition 24 (Partially-ordered set)

A partially-ordered set is a pair \((D, \sqsubseteq )\) of set D and relation \(\sqsubseteq \) such that:

• For each \(a \in D\), \(a \sqsubseteq a\) (reflexiveness)

• For each \(a, b, c \in D\), if \(a \sqsubseteq b\) and \(b \sqsubseteq c\), then \(a \sqsubseteq c\) (transitivity)

• For each \(a, b \in D\), if \(a \sqsubseteq b\) and \(b \sqsubseteq a\), then \(a = b\) (antisymmetry)

Definition 25

(\(\omega \)-chain and its supremum). A \(\omega \)-chain in a partially-ordered set \((D, \sqsubseteq )\) is an infinite sequence \(d_0, d_1, d_2, \dots \) such that for all i, \(d_i \in D\) and \(d_i \sqsubseteq d_{i+1}\). The supremum \(\sup _i d_i\) of a chain \(d_0, d_1, d_2, \dots \) is the supremum of the set \(\{ d_0, d_1, d_2, \dots \}\) of elements of the chain.

Definition 26

(\(\omega \)-complete partial order). A \(\omega \)-complete partial order (\(\omega \)-cpo) is a partial order \((D, \sqsubseteq )\) such that for each \(\omega \)-chain \(d_0, d_1, d_2, \dots \) in \((D, \sqsubseteq )\), the supremum \(\sup _i d_i\) exists in D.

Definition 27 (Monotone function)

A function \(f :D -> D'\) between \(\omega \)-cpos \((D, \sqsubseteq )\) and \((D', \sqsubseteq ')\) is monotone if \(f(d) \sqsubseteq ' f(d')\) for each \(d, d' \in D\) such that \(d \sqsubseteq d'\).

Definition 28

(\(\omega \)-continuous function). A function \(f :D -> D'\) between \(\omega \)-cpos \((D, \sqsubseteq )\) and \((D', \sqsubseteq ')\) is \(\omega \)-continuous if it is monotone and for each \(\omega \)-chain \(d_0, d_1, d_2, \dots \) in \((D, \sqsubseteq )\), \(f(\sup _i d_i) = \sup _i f(d_i)\).

Note that in the definition above, the requirement that f is monotone ensures that \(f(d_0)\), \(f(d_1)\), \(f(d_2)\), ...is a \(\omega \)-chain.

Definition 29 (Least fixpoint)

Let \((D, \sqsubseteq )\) be a \(\omega \)-cpo and \(f :D-> D\) a function on \((D, \sqsubseteq )\). A fixpoint of f is an element \(d \in D\) such that \(f(d) = d\). A least fixpoint of f is a fixpoint \(d_0\) of f such that for all other fixpoints d of f, \(d_0 \sqsubseteq d\).

Theorem 4 (Kleene Fixpoint Theorem)

Let \((D, \sqsubseteq )\) be a \(\omega \)-cpo and \(f :D -> D\) a \(\omega \)-continuous function. Then f has a least fixpoint, which is the supremum of the chain \(\bot \), \(f(\bot )\), \(f(f(\bot ))\), ..., that is, \(\sup _i f^i(\bot )\).

C Proofs for the \(\mathtt {wp}\) and \(\mathtt {wlp}\) Semantics

In order to prove that \(\mathtt {wp}[\![{C}]\!](f)\) is measurable for all f, we first need to prove that the state update \(\lambda (x, \sigma , E) . \sigma [x \mapsto \sigma (E)]\) is measurable. Since states are a new structure, not discussed in the proofs of measurability in [36], we present the proof in more detail than other measurability proofs in this paper.

We define a metric \(d_{\mathcal {N}}\) on variables as \(d_{\mathcal {N}}(x,x)=0\) and \(d_{\mathcal {N}}(x,y) = \infty \) for \(x \ne y\). The metric space \((\mathcal {N}, d_{\mathcal {N}})\) induces the usual discrete \(\sigma \)-algebra on \(\mathcal {N}\).

Lemma 14

The update function \(h :\mathcal {N} \times {\varOmega }_{\sigma }\times (\mathbb {R} \uplus \mathbb {Z}) -> {\varOmega }_{\sigma }\) defined by \(h(x, \sigma , v) = \sigma [x \mapsto v]\), is measurable.

Proof

We prove that this function is continuous, which implies measurability. Take \(x_1, x_2 \in \mathcal {N}\), \(\sigma _1, \sigma _2 \in {\varOmega }_{\sigma }\) and \(V_1, V_2 \in \mathbb {R} \uplus \mathbb {Z}\). If \(\mathtt {dom}(\sigma _1) \ne \mathtt {dom}(\sigma _2)\) then \(d_\sigma (\sigma _1, \sigma _2) = \infty \), so trivially \(d_\sigma (h(x_1, \sigma _1,V_1), h(x_2, \sigma _2,V_2)) \le d_{\mathcal {N}}(x_1, x_2) + d_\sigma (\sigma _1, \sigma _2) + d_T(V_1, V_2) = \infty \). The same holds when \(x_1 \ne x_2\) (which implies \(d_{\mathcal {N}}(x_1, x_2) = \infty \)). The inequality also immediately holds if \(V_1 \in \mathbb {R}\) and \(V_2 \in \mathbb {Z}\) (or vice versa), because then \(d_T(V_1, V_2) = \infty \).

Now, suppose that \(x_1 = x_2 = x\), \(\mathtt {dom}(\sigma _1) = \mathtt {dom}(\sigma _2) = \{y_1, \dots , y_n \}\) and either \(V_1, V_2 \in \mathbb {R}\) or \(V_1, V_2 \in \mathbb {Z}\). Now, if \(x = y_k\) for some k, then

$$\begin{aligned} d_\sigma (h(x, \sigma _1,V_1), h(x, \sigma _2,V_2))= & {} \sum _{i \in 1..n, i \ne k } d_T(\sigma _1(y_i), \sigma _2(y_i)) + d_T(V_1, V_2) \\\le & {} \sum _{i \in 1..n} d_T(\sigma _1(y_i), \sigma _2(y_i)) + d_T(V_1, V_2) \\= & {} d_\sigma (\sigma _1, \sigma _2) + d_T(V_1, V_2) + d_{\mathcal {N}}(x, x) \end{aligned}$$

If \(x \ne x_k\) for any k, we simply have:

$$\begin{aligned} d_\sigma (h(x, \sigma _1,V_1), h(x, \sigma _2,V_2))= & {} \sum _{i \in 1..n} d_T(\sigma _1(y_i), \sigma _2(y_i)) + d_T(V_1, V_2) \\= & {} d_\sigma (\sigma _1, \sigma _2) + d_T(V_1, V_2) + d_{\mathcal {N}}(x, x) \end{aligned}$$

Thus, \(h_x\) is continuous, and so measurable.    \(\square \)

Restatement of Lemma 3. For every program C, the function \(\mathtt {wp}[\![{C}]\!](\cdot )\) is \(\omega \)-continuous. Moreover, for every measurable \(f :{\varOmega }_{\sigma }-> \overline{\mathbb {R}}_{+}\), \(\mathtt {wp}[\![{C}]\!](f)(\cdot )\) is measurable.

Proof

(of Lemma 3). By induction on the structure of C. The continuity part of the proof is largely similar to the proof of the analogous property in [13], with additional care needed because of the use of Lebesgue integration. We need to show that for any C and any \(\omega \)-chain \(f_1 \le f_2 \le f_3 \dots \), \(\mathtt {wp}[\![{C}]\!](\sup _i f_i) = \sup _i\ \mathtt {wp}[\![{C}]\!](f_i)\) and that \(\mathtt {wp}[\![{C}]\!](f)\) is measurable for any measurable f.

• Case \(C = x :\approx U \):

  • Continuity:

    

  • Measurability: We have

    $$ \mathtt {wp}[\![{ C }]\!](f) = \lambda \sigma . \int _{[0,1]} g(x, \sigma , v) \, \mu _L(dv) $$

    where \(g(x, \sigma , v) = f(\sigma [x \mapsto v ])\). Now, take \(h(x, \sigma ,v) = \sigma [x \mapsto v]\). Then \(g = f \circ h\). We know that substitutions are measurable (Lemnma 14), so h is measurable. This means that g is measurable, as it is a composition of measurable functions. Thus, by the Fubini-Tonelli theorem, \(\lambda \sigma . \int _{[0,1]} g(x, \sigma , v) \, \mu _L(dv)\) is measurable, so \(\mathtt {wp}[\![{ C }]\!](f)\) is measurable.

• Case \(C = \mathtt {score}(E)\):

  • Continuity:

    

  • Measurability:

    We have \(\mathtt {wp}[\![{ C }]\!](f) = \lambda \sigma .\ [\sigma (E) \in (0,1]]\sigma (E) \cdot f(\sigma )\). The substitution \(\sigma (E)\) is measurable by assumption (as a function of \(\sigma \)). Meanwhile, \([\sigma (E) \in (0,1]]\) is a composition of the measurable function \(\sigma (E)\) and the indicator function of the measurable set (0, 1], which is obviously measurable. Finally, f is measurable by assumption, so the pointwise product of these three functions is measurable.

• Case \(C = \mathtt {observe}(\phi )\):

  • Continuity:

    

  • Measurability:

    We have \(\mathtt {wp}[\![{ C }]\!](f) = \lambda \sigma . [\sigma (\phi )] f(\sigma ) \). The function \(\sigma . [\sigma (\phi )]\) is measurable by assumption (we only allow measurable predicates in the language), and f is measurable by assumption of the lemma, hence their pointwise product is measurable.

• Case \(C = (x := E )\):

  • Continuity:

    

  • Measurability:

    We have \(\mathtt {wp}[\![{ C }]\!](f) =\lambda \sigma . f(\sigma [x \mapsto \sigma (E)])\). This can be represented as a composition of functions \(\lambda \sigma . f \circ F_2 \circ F_1 (\sigma )\), where \(F_1(\sigma ) = (\sigma , \sigma (E))\) and \(F_2(\sigma , V) = \sigma [x \mapsto V]\). The function \(F_1\) is measurable, because the identity function \(\lambda \sigma . \sigma \) is trivially measurable, and \(\lambda \sigma . \sigma (E)\) is measurable by assumption, so both components of \(F_1\) are measurable. The function \(F_2\) is measurable by Lemma 14. Hence, \(\mathtt {wp}[\![{ C }]\!](f)\) is measurable as a composition of measurable functions.

• Case \(C = \mathtt {while}(\phi )\{C'\}\):

  • Continuity: We have:

    $$\begin{aligned} \mathtt {wp}[\![{C}]\!](\sup _i f_i)= & {} \mathtt {wp}[\![{\mathtt {while}(\phi )\{C'\}}]\!](\sup _i f_i)\\= & {} \mathtt {lfp}\ X . [\lnot \phi ](\sup _i f_i) + [\phi ] \mathtt {wp}[\![{C'}]\!](X) \\ \end{aligned}$$

    Take \({\varPhi }_{f}(X) = [\lnot \phi ]f + [\phi ] \mathtt {wp}[\![{C'}]\!](X)\). By induction hypothesis, \(\mathtt {wp}[\![{C'}]\!](\cdot )\) is continuous, so \({\varPhi }_{f}(\cdot )\) is continuous for all \(f :{\varOmega }_{\sigma }-> \overline{\mathbb {R}}_{+}\). Moreover, it can be easily checked that for any X, \(f \mapsto {\varPhi }_{f}(X)\) is continuous as a function of f (which means that \(f \mapsto {\varPhi }_{f}\) is continuous). Thus,

    $$ \mathtt {wp}[\![{C}]\!](\sup _i f_i) = \sup _n {\varPhi }_{\sup _i f_i}^n (0) = \sup _n (\sup _i\ {\varPhi }_{f_i})^n (0) $$

    By Theorem 2.1.19.2 from [1], the function \({\varPhi } \mapsto \sup _n\ {\varPhi }^n(0)\) is continuous. If \(f_1, f_2, \dots \) is an increasing chain, then \({\varPhi }_{f_1}, {\varPhi }_{f_2}, \dots \) is also an increasing chain (because \({\varPhi }_f\) is monotone in f). Thus, \(\sup _n (\sup _i\ {\varPhi }_{f_i})^n(0) = \sup _i (\sup _n\ {\varPhi }_{f_i}^n(0)) =\sup _i\ \mathtt {wp}[\![{C}]\!](f_i)\), as required.

  • Measurability:

    The function \({\varPhi }_f(X) = [\lnot \phi ](f) + [\phi ] \mathtt {wp}[\![{C'}]\!](X)\) is continuous for all measurable f by the induction hypothesis, so by the fixpoint theorem \(\mathtt {lfp}\ X .{\varPhi }_f(X)\) exists in the domain of measurable functions.

• Case \(C = C_1;C_2\):

  • Continuity:

    We have :

    $$ \mathtt {wp}[\![{C}]\!](\sup _i f_i) = \mathtt {wp}[\![{ C_1}]\!](\mathtt {wp}[\![{C_2 }]\!](\sup _i f_i)) $$

    By induction hypothesis, \(\mathtt {wp}[\![{C_2 }]\!](\sup _i f_i) = \sup _i \mathtt {wp}[\![{C_2 }]\!](f_i) \). The induction hypothesis also states that \(\mathtt {wp}[\![{C_2 }]\!](f_i) \) is measurable for all measurable \(f_i\), which also means that \(\sup _i \mathtt {wp}[\![{C_2 }]\!](f_i) \) is measurable. Hence, \(\mathtt {wp}[\![{ C_1}]\!](\sup _i \mathtt {wp}[\![{C_2 }]\!](f_i))\) is well-defined. By applying the induction hypothesis again, we get \(\mathtt {wp}[\![{ C_1}]\!](\sup _i \mathtt {wp}[\![{C_2 }]\!](f_i)) = \sup _i \mathtt {wp}[\![{ C_1}]\!](\mathtt {wp}[\![{C_2 }]\!](f_i))\), as required.

  • Measurability:

    By induction hypothesis, \(\mathtt {wp}[\![{C_2 }]\!](f)\) is measurable, and so \(\mathtt {wp}[\![{ C_1}]\!]\)\((\mathtt {wp}[\![{C_2 }]\!](f))\) is also measurable by induction hypothesis.

• The other cases are straightforward.

   \(\square \)

D Proofs for the Operational Semantics

1.1 D.1 Properties of the Operational Semantics

This section consists of proofs of properties of the operational semantics which are needed to prove Proposition 1.

Basic Properites. We begin by stating two basic properties: that reduction is deterministic and that the weight always stays positive.

Lemma 15 (Evaluation is deterministic)

For any configuration \(\kappa \), if \(\kappa \vdash \kappa '\) and \(\kappa \vdash \kappa ''\), then \(\kappa ' = \kappa ''\).

Lemma 16

If \(\kappa \vdash \kappa '\) and \(\mathsf{weight}(\kappa ) > 0\), then \(\mathsf{weight}(\kappa ') > 0\).

Invariance of Reduction Relation. The functions \(\mathbf {O}_C^{\sigma }\) and \(\mathbf {SC}_C^{\sigma }\) are defined in terms of reduction chains which start at configurations with \(K=[]\), \(n=0\) and \(w=1\). However, in order to reason about evaluation of compositions of terms, we need to deal with reduction sequences starting at intermediate configurations, where this property does not hold. The following lemmas show that the reduction relation is preserved by modifying the initial and final step count, weight and continuation.

Proving invariance of the semantics under step count and weight change is straightforward:

Lemma 17

If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n+n', w' \rangle \), then for all \(w'' > 0\) and integer \(n'' \ge -n\), \(\langle \theta , C, K, \sigma , \theta _K, n + n'', w'' w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n + n'' +n', w'' w' \rangle \).

Proof

Simple induction on \(n'\).    \(\square \)

The rest of this section shows that the semantics is also preserved by extending the initial continuation. In the following lemmas, we write \(K @ K'\) for the concatenation of two continuations K and \(K'\) (recall that a continuation is a list of expressions).

Lemma 18

• If \(\langle \theta , C, K', \sigma , \theta _K, n, w \rangle \vdash \langle \theta ', C', K'', \sigma ', \theta _K', n + 1, w' \rangle \) and and \((C,K') \ne (\mathord {\downarrow }, [])\), then \(\langle \theta , C, K'@K, \sigma , \theta _K, n, w \rangle \vdash \langle \theta ', C', K''@K, \sigma ', \theta _K', n + 1, w' \rangle \).

• If then .

Proof

By inspection of the reduction rules.    \(\square \)

Lemma 19

If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n + n', w' \rangle \), then there exists a unique \(\hat{n} \le n'\) such that \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n + \hat{n}, w' \rangle \)

Proof

Obvious.    \(\square \)

Lemma 20

If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n+n', w' \rangle \) and \((C', K') \ne (\mathord {\downarrow }, [])\) and , then for all \(K''\), \(\langle \theta , C, K @ K'', \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K' @ K'', \sigma ', \theta '_K, n+n', w' \rangle \).

Proof

By induction on \(n'\):

• Base case: \(n' = 0\): trivial

• Induction step: Let \(n' > 0\). Then we have \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n+n', w' \rangle \). We now need to split on the derivation of \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, w \rangle \).

  • If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \) was derived with (seq), then \(C = C_1; C_2\), \(\hat{K} = C_2 \mathrel {{:}{:}} K\) and we have \(\langle \theta , C_1; C_2, K, \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta ), C_1, C_2 \mathrel {{:}{:}} K, \sigma , \pi _L(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n+n', w' \rangle \).

    By (seq), \(\langle \theta , C_1; C_2, K@K'', \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta ), C_1, C_2 \mathrel {{:}{:}} K@K'', \sigma , \pi _L(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w \rangle \), and by the induction hypothesis, \(\langle \pi _L(\theta ), C_1, C_2 \mathrel {{:}{:}} K @ K'', \sigma , \pi _L(\theta ) \mathrel {{:}{:}} \theta _K, n+1, \hat{w} \rangle \vdash ^{*} \langle \theta ', C', K' @ K'', \sigma ', \theta '_K, n+n', w' \rangle \).

  • If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \) was derived with (pop), then \(C = \mathord {\downarrow }\) and \(K = C' \mathrel {{:}{:}} K'''\) and we have \(\langle \theta , \mathord {\downarrow }, C' \mathrel {{:}{:}} K''', \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta _K), C', K''', \sigma , \pi _R(\theta _K) , n+1, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n+n', w' \rangle \).

    By (pop), \(\langle \theta , \mathord {\downarrow }, C' \mathrel {{:}{:}} K''' @ K'', \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta _K), C', K''' @ K'', \sigma , \pi _R(\theta _K) , n+1, w \rangle \), and by induction hypothesis, \(\langle \pi _L(\theta _K), C', K''' @ K'', \sigma , \pi _R(\theta _K) , n+1, w \rangle \vdash ^{*} \langle \theta ', C', K' @ K'', \sigma ', \theta '_K, n+n', w' \rangle \).

  • Otherwise, we have \(\hat{K} = K\) and by inspection of the reduction rules, \(\langle \theta , C, K@K'', \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, K@K'', \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \), so the result follows immediately by applying the induction hypothesis (note that \((C', K') \ne (\mathord {\downarrow }, [])\) implies that \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \) is not derived with (final)).

   \(\square \)

Corollary 4

If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta '_K, n+n', w' \rangle \) and and \((C', K') \ne (\mathord {\downarrow }, [])\), then for all \(w'' > 0\), integer \(n'' \ge -n\) and \(K''\), \(\langle \theta , C, K @ K'', \sigma , \theta _K, n + n'', w'' w \rangle \vdash ^{*} \langle \theta ', C', K' @ K'', \sigma ', \theta '_K, n + n'' +n', w'' w' \rangle \).

The reason we added the condition \((C', K') \ne (\mathord {\downarrow }, [])\) to the premise of Lemma 20 is that in our semantics, a “final” configuration with statement \(\mathord {\downarrow }\) and empty continuation reduces to itself (by the (final) rule) infinitely. If we replaced [] with some non-empty continuation K, the rule (pop) would be applied instead of (final) and the reduction would be completely different. The statement \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n+n', w' \rangle \) says nothing about how many times the rule (final) was applied at the end, so we do not know what the final configuration after \(n'\) steps would be if we appended some continuation \(K'\) to K.

Because of that, we need to treat the case \((C', K') = (\mathord {\downarrow }, [])\) separately. We first introduce some new notation: we write \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n + n', w' \rangle \) if \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n + n', w' \rangle \) and there is no \(n'' < n'\) such that \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta ''_K, n + n'', w'' \rangle \) (or, equivalently, \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n + n', w' \rangle \) was derived without (final)).

Lemma 21 (Evaluation with continuation)

If \(\langle \theta , C, [], \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n + n', w' \rangle \) and , then \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, K, \sigma ', \theta '_K, n + n', w' \rangle \).

Proof

We will prove a more general statement:

If \(\langle \theta , C, K', \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \), then \(\langle \theta , C, K'@K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, K, \sigma ', \theta _K', n + n', w' \rangle \),

by induction on \(n'\):

• Base case: \(n' = 0\): This implies that \(C = \mathord {\downarrow }\) and \(w' = w\) and \(K' = []\) and \(\theta _K' = \theta _K\), so the result follows trivially.

• Induction step: for \(n' > 0\), we have \(\langle \theta , C, K', \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K'}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \), where \((C, K') \ne (\mathord {\downarrow }, [])\), as otherwise the configuration would reduce in 0 steps. By Lemma 18, \(\langle \theta , C, K'@K, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K'}@K, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \) and by induction hypothesis, \(\langle \hat{\theta }, \hat{C}, \hat{K'} @ K, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, K, \sigma ', \theta _K', n + 1 + (n'-1), w' \rangle \), which ends the proof.

   \(\square \)

Corollary 5

If \(\langle \theta , C, [], \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n + n', w' \rangle \) and , then \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, K, \sigma ', \theta _K, n + n', w' \rangle \).

We also need to show that reductions leading to a failed observation are also preserved when appending a continuation.

Lemma 22

If then for all \(K''\), .

Proof

If \(n' = 0\), the result follows trivially.

If \(n' > 0\), then we have (otherwise the initial configuration would not reduce), and so the last rule in the derivation of must have been (condition-false).

Hence, , where and \(\sigma '(\phi ) = \mathtt {false}\). By Lemma 20, \(\langle \theta , C, K@ K'', \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathtt {observe}(\phi ), \hat{K} @ K'', \sigma ', \theta '_K, n+n'-1, w' \rangle \). By applying (condition-false) again, we get , as required.    \(\square \)

Lemma 23

If \(C_1 \ne C_1'; C_1''\) and , then .

Proof

By Lemma 22 . As \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash \langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 1, 1 \rangle \) by (seq), Lemma 17 yields .    \(\square \)

Sequencing. We now use the above results to relate the final and intermediate configurations in the reduction of a statement \(C_1\) to the intermediate configurations reached when reducing \(C_1;C_2\).

Lemma 24 (Context evaluation for simple sequencing)

If \(C_1 \ne C_1'; C_1''\) and \(\langle \theta , C_1, [], \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n + n', w' \rangle \) and , then \(\langle \theta \mathcal {::} \pi _L(\theta _K), C_1;C_2, [], \sigma , \pi _R(\theta _K), n, w \rangle \vdash ^{*} \langle \pi _L(\theta _K), C_2, [], \sigma ', \pi _R(\theta _K), n + n' + 2, w' \rangle \).

Proof

By (seq): \(\langle \theta \mathcal {::} \pi _L(\theta _K), C_1;C_2, [], \sigma , \pi _R(\theta _K), n, w \rangle \vdash \langle \theta , C_1, [C_2], \sigma , \theta _K, n+1, w \rangle \).

By Lemma 21 (and the fact that we can change n): \(\langle \theta , C_1, [C_2], \sigma , \theta _K, n+1, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [C_2], \sigma ', \theta _K, (n + 1) + n', w' \rangle \).

By (pop), \(\langle \theta ', \mathord {\downarrow }, [C_2], \sigma ', \theta _K, (n + 1) + n', w' \rangle \vdash \langle \pi _L(\theta _K), C_2, [], \sigma ', \pi _R(\theta _K), (n + 1) + n' + 1, w' \rangle \), as required.    \(\square \)

Lemma 25

If \(C_1 \ne C_1'; C_1''\) and \(\langle \theta , C_1, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta '_K, n + n', w' \rangle \) and and \((C', K') \ne (\mathord {\downarrow }, [])\), then \(\langle \theta \mathcal {::} \pi _L(\theta _K), C_1;C_2, [], \sigma , \pi _R(\theta _K), n, w \rangle \vdash ^{*} \langle \theta ' , C', K @ [C_2], \sigma ', \theta '_K, n + n' + 1, w' \rangle \).

Proof

By (seq), we have \(\langle \theta \mathcal {::} \pi _L(\theta _K), C_1;C_2, [], \sigma , \pi _R(\theta _K), n, w \rangle \vdash \langle \theta , C_1, [C_2], \sigma , \theta _K, n+1, w \rangle \). Then, by Corollary 4, \(\langle \theta , C_1, [C_2], \sigma , \theta _K, n+1, w \rangle \vdash ^{*} \langle \theta ', C', K@[C_2], \sigma ', \theta '_K, n + n'+1, w' \rangle \), as required.    \(\square \)

Splitting a Sequence Evaluation. We now show that if a sequence \(C_1;C_2\) of statements evaluates under entropy \(\theta \) to a proper state, then \(C_1\) in itself must evaluate under \(\pi _L(\theta )\), and that if the evaluation of \(C_1;C_2\) results in an error, then \(C_1\) cannot diverge. These properties will be needed to show compositionality of the semantics.

To prove the first of the above properties, we first prove that if a configuration with an empty continuation reduces completely, then the continuation entropy \(\theta _K\) in the final configuration will be identical to the original one (intermediate steps may extend \(\theta _{K}\), but all sub-entropies added to \(\theta _K\) will subsequently be removed). In the following lemma, we write |K| for the length of list K.

Lemma 26

If \(\langle \theta , C, K, \sigma , \hat{\theta _K}, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \) and and \(\pi _R^{|K|}(\hat{\theta _K}) = \theta _K\), then \(\theta _K' = \theta _K\).

Proof

By induction on \(n'\):

• Base case: \(n'=0\): then obviously \(|K| = 0\) and \(\hat{\theta _K} = \theta _K\), so the result follows trivially.

• Induction step: if \(n' > 0\), then \(\langle \theta , C, K, \sigma , \hat{\theta _K}, n, w \rangle \vdash \langle \theta '', C'', K', \sigma '', \theta _K'', n+1, w'' \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \).

  Now we need to split on the first rule in this derivation chain.

  If the first transition was derived with (seq), then \(|K'| = |K| + 1\) and \(\theta _K'' = \pi _R(\theta ) \mathrel {{:}{:}} \hat{\theta _K}\). We have \(\pi _R^{|K'|}(\theta _K'') = \pi _R^{|K| + 1}(\pi _R(\theta ) \mathrel {{:}{:}} \hat{\theta _K}) = \pi _R^{|K|}(\pi _R(\pi _R(\theta ) \mathrel {{:}{:}} \hat{\theta _K})) = \pi _R^{|K|}(\hat{\theta _K}) = \theta _K\), so by induction hypothesis, \(\theta _K' = \theta _K\).

  If the first transition was derived with (pop), then \(|K'| = |K| - 1\) and \(\theta _K'' = \pi _R(\hat{\theta _K}) \). Thus, \(\pi _R^{|K'|}(\theta _K'') = \pi _R^{|K|-1}(\pi _R(\hat{\theta _K})) = \pi _R^{|K|}(\hat{\theta _K}) = \hat{\theta _K}\), so by induction hypothesis, \(\theta _K' = \theta _K\).

  Otherwise, we have \(K' = K\) (note that implies ) and \(\theta _K'' = \hat{\theta _K}\), so \(\pi _R^{|K'|}(\theta _K'') = \theta _K\). By induction hypothesis, \(\theta _K' = \theta _K\).

   \(\square \)

Corollary 6

If \(\langle \theta , C, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \) and , then \(\theta _K' = \theta _K\).

We now prove that if \(C_1;C_2\) successfully evaluates with entropy \(\theta \), then \(C_1\) also successfully evaluates with entropy \(\pi _L(\theta )\).

Lemma 27 (Interpolation for Continuations)

If \(\langle \theta , C, K_1 @ K_2, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \) and , then \(\langle \theta , C, K_1, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta _K'', n + n'', w'' \rangle \), where .

Proof

By induction on \(n'\).

• Base case: \(n' = 0\): in this case, \(C = \mathord {\downarrow }\) and \(K_1 = K_2 = []\), so the result follows trivially.

• Induction step: suppose \(\langle \theta , C, K_1 @ K_2, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K', n + n', w' \rangle \).

  If \(\langle \theta , C, K_1 @ K_2, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \) was derived with (seq), then \(C = C_1; C_2\), \(C_1 \ne C_1';C_1''\), \(\hat{K} = C_2 \mathrel {{:}{:}} K_1 @ K_2\), \(\hat{\theta } = \pi _L(\theta )\), \(\hat{w} = w\) and \(\hat{\theta _K} = \pi _R(\theta ) \mathrel {{:}{:}} \theta _K\). By (seq), we have \(\langle \theta , C_1;C_2, K_1, \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta ), C_1, C_2 \mathrel {{:}{:}} K_1, \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w \rangle \). By induction hypothesis, . Hence, \(\langle \theta , C_1;C_2, K_1, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta _K'', n + n'', w'' \rangle \), as required.

  If \(\langle \theta , C, K_1 @ K_2, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n+1, \hat{w} \rangle \) was derived with (pop), then \(C = \mathord {\downarrow }\), \(K_1 @ K_2 = \hat{C} \mathrel {{:}{:}}\hat{K}\), \(\hat{w} = w\), \(\hat{\theta } = \pi _L(\theta _K)\) and \(\hat{\theta _K} = \pi _R(\theta _K) \).

  • If \(K_1 \ne []\), then \(K_1 = \hat{C} \mathrel {{:}{:}}\hat{K_1}\) and \(\hat{K} = \hat{K_1} @ K_2\) and we have \(\langle \theta , \mathord {\downarrow }, \hat{C} \mathrel {{:}{:}}\hat{K_1}, \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta _K), \hat{C} , \hat{K_1}, \sigma , \pi _R(\theta _K), n+1, w \rangle \). By induction hypothesis, . Hence, we have \(\langle \theta , \mathord {\downarrow }, \hat{C} \mathrel {{:}{:}}\hat{K_1}, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta _K'', n + n'', w'' \rangle \).

  • If \(K_1 = []\), then trivially \(\langle \theta , \mathord {\downarrow }, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta , \mathord {\downarrow }, [], \sigma , \theta _K, n, w \rangle \) in zero steps.

  Otherwise, \(\hat{K} = K_1 @ K_2\) and \(\hat{\theta _K} = \theta _K\) and by inspection of the reduction rules, \(\langle \theta , C, K_1, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, K_1, \hat{\sigma }, \theta _K, n+1, \hat{w} \rangle \). Hence, by induction hypothesis, \(\langle \theta , C, K_1, \sigma , \theta _K, n, w \rangle \vdash \langle \hat{\theta }, \hat{C}, K_1, \hat{\sigma }, \theta _K, n+1, \hat{w} \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta _K'', n + n'', w'' \rangle \) and , as required.

   \(\square \)

Lemma 28 (Interpolation)

If \(C_1 \ne C_1'; C_1''\) and \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n + n', w' \rangle \) and , then \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n, w \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta _K, n + n'', w'' \rangle \), where .

Proof

The first rule applied in the derivation of \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n + n', w' \rangle \) is (seq), which gives \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, n, w \rangle \vdash \langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w \rangle \). Hence, \(\langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n + n', w' \rangle \). By applying Lemma 27 with \(K_1= []\) and Corollary 6, we get \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n + n'', w'' \rangle \), where , as required.    \(\square \)

Finally, we show that if the evaluation of \(C_1;C_2\) with entropy \(\theta \) yields an error, then the evaluation of \(C_1\) under \(\pi _L(\theta )\) either terminates successfully or also results in an error (depending on where the error in the evaluation of \(C_1;C_2\) occurred)—at any rate, \(C_1\) does not diverge.

Lemma 29

If \(C_1 \ne C_1'; C_2'\) and \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', n, w \rangle \nvdash \), then either \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \sigma '', \theta _K, n', w' \rangle \) or \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_1'', K'', \sigma '', \theta _K, n', w' \rangle \nvdash \).

Proof

The statement in the lemma is equivalent to saying that it is not the case that for all k, \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_1'', K'', \sigma '', \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, k, w' \rangle \) with \((C_1'', K'') \ne (\mathord {\downarrow }, [])\). Suppose for contradiction that the negation of this statement holds. By (seq), we have \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash \langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 1, 1 \rangle \), so \(\langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 1, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', n, w \rangle \).

Take \(k = n - 1\). Then we have \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_1'', K'', \sigma '', \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n-1, w' \rangle \vdash \langle \hat{\theta }, \hat{C_1}, \hat{K}, \hat{\sigma }, \hat{\theta _K}, n, \hat{w} \rangle \), where (otherwise the middle configuration would not reduce) and \((C_1'', K'') \ne (\mathord {\downarrow }, [])\). By Corollary 4, we have \(\langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 1, 1 \rangle \vdash ^{*} \langle \theta '', C_1'', K''@[C_2], \sigma '', \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n, w' \rangle \). Hence, \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_1'', K''@[C_2], \sigma '', \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n, w' \rangle \) and \(\langle \theta '', C_1'', K''@[C_2], \sigma '', \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n, w' \rangle = \langle \theta ', C', K, \sigma ', \theta _K', n, w \rangle \), since reduction is deterministic. By Lemma 18, this implies that \(\langle \theta ', C', K, \sigma ', \theta _K', n, w \rangle \) reduces, contradicting the assumption.    \(\square \)

Corollary 7

If \(C_1 \ne C_1'; C_2'\) and \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', n, w \rangle \nvdash \), then \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) \ne \uparrow \).

1.2 D.2 Properties of the Semantic Functions

Compositionality of Sequencing. A desirable and useful property of the semantic functions is compositionality with respect to sequencing, i.e., the ability to define \(\mathbf {O}_{C_1;C_2}^{\sigma }\) in terms of \(\mathbf {O}_{C_1}^{\sigma _1}\) and \(\mathbf {O}_{C_2}^{\sigma _2}\) for some states \(\sigma _1\) and \(\sigma _2\). Similarly for \(\mathbf {SC}_{C_1;C_2}^{\sigma }\). We can easily express the semantics of \(C_1; C_2\) in terms of the semantics of \(C_1\) and \(C_2\) if \(C_1\) is not a sequence of statements. (Recall the explanation of the rule (seq).)

Proposition 1 (Simple sequencing for final states)

If \(C_1 \ne C_1'; C_2'\), then:

$$ \mathbf {O}_{C_1;C_2}^{\sigma }(\theta ) = \mathbf {O}_{C_2}^{\tau }(\pi _R(\theta )) \quad \text {and} \quad \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta ) = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \cdot \mathbf {SC}_{C_2}^{\tau }(\pi _R(\theta )) $$

where \(\tau \) stands for the state \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta ))\).

Below, we prove Proposition 1. To simplify presentation, we split it into two separate lemmas, one concerning final states and one concerning scores.

Lemma 30 (Simple sequencing for final states)

If \(C_1 \ne C_1'; C_2'\), then \(\mathbf {O}_{C_1;C_2}^{\sigma }(\theta ) = \mathbf {O}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ))\)

Proof

If \(\sigma = \uparrow \), then \(LHS = RHS = \uparrow \) directly by definition.

If , the result also follows trivially, so let us suppose and \(\sigma \ne \uparrow \). We need to consider several cases:

• If , then \( \langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C_1', K, \tau , \theta _K', n , w \rangle \nvdash \). By (seq), we have \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash \langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 1, 1 \rangle \).

  If , then by Lemmas 20 and 17, \(\langle \pi _L(\theta ), C_1, [C_2], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 1, 1 \rangle \vdash ^{*} \langle \theta ', C_1', K@[C_2], \tau , \theta _K', n+1, w \rangle \nvdash \). Moreover, \(\langle \theta ', C_1', K, \tau , \theta _K', n , w \rangle \nvdash \) implies \(C_1' \ne \mathord {\downarrow }\) (because otherwise the configuration would reduce by (final) or (pop)), so by inspection, \(\langle \theta ', C_1', K@[C_2], \tau , \theta _K', n +1, w \rangle \nvdash \). Thus, .

  If , then \(C_1' = \mathord {\downarrow }\), \(K = []\) and by Lemmas 22 and 17 we have . Hence, .

• If \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) = \uparrow \), then \(RHS = \uparrow \). Moreover, we have neither \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \tau , \theta _K, n , w \rangle \) nor \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \tau , \theta _K', n , w \rangle \nvdash \).

  Now, suppose for contradiction that \(LHS \ne \uparrow \). Then we have either \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \tau , \theta _K, n , w \rangle \) (with ) or \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \tau , \theta _K', n , w \rangle \nvdash \).

  First, suppose that \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \tau , \theta _K, n , w \rangle \), where . By Lemma 28, this implies that \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \tau ', \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, n' , w' \rangle \) and so \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) = \tau ' \ne \uparrow \), contradicting the assumption.

  If \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \tau , \theta _K', n , w \rangle \nvdash \), then by Corollary 7, we get a contradiction.

• If , but , we have \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \tau ', \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, n, w \rangle \) for some , where \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) = \tau '\), and \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C'', K', \tau , \theta _K', n' , w' \rangle \nvdash \). By Lemma 24, \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n+2, w \rangle \). By Lemma 17, \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n+2, w \rangle \vdash ^{*} \langle \theta '', C'', K', \tau , \theta _K', n + 2 + n' , ww' \rangle \), where the last configuration clearly does not reduce, as changing the last two components cannot make any rule apply. Hence, , as required.

• If , but \( \mathbf {O}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta )) = \uparrow \), we have again \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \tau ', \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, n, w \rangle \) for some . Again, by Lemma 24, we have \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n+2, w \rangle \), but we have neither \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, 0 , 1 \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \tau '', \theta _K, n', w' \rangle \) nor \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C'', K', \tau , \theta _K', n' , w' \rangle \nvdash \).

  Suppose for contradiction that \(LHS \ne \uparrow \). Then we have either \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \tau , \theta _K, \hat{n}, \hat{w} \rangle \) (with ) or \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \tau , \theta _K', \hat{n}, \hat{w} \rangle \nvdash \).

  In the former case, the determinicity of reduction implies \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n+2, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \tau , \theta _K, \hat{n}, \hat{w} \rangle \), so by Lemma 17, \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \tau , \theta _K, \hat{n}-n-2, \hat{w} / w \rangle \), which contradicts the assumption.

  Similarly, in the latter case, \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n+2, w \rangle \vdash ^{*} \langle \theta ', C', K, \tau , \theta _K', \hat{n}, \hat{w} \rangle \nvdash \), which violates the assumption.

  Hence, \(\mathbf {O}_{C_1;C_2}^{\sigma }(\theta ) = \uparrow \).

• Finally, suppose that and . Then we have again \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \tau ', \pi _R(\theta ) \mathrel {{:}{:}}\theta _K, n' , w' \rangle \) for some and \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n' , w' \rangle \) by Lemma 24. Since \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) = \tau '\) and , we have \(\langle \pi _R(\theta ), C_2, [], \tau ', \theta _K, n' , w' \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \tau '', \theta _K, n'', w'' \rangle \). This also implies that

  \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', \mathord {\downarrow }, [], \tau '', \theta _K, n'', w'' \rangle \), and so \(\mathbf {O}_{C_1;C_2}^{\sigma }(\theta ) = \tau '' = \mathbf {O}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ))\).

   \(\square \)

Lemma 31 (Simple sequencing for scores)

If \(C_1 \ne C_1'; C_2'\) then \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta ) = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \cdot \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ))\)

Proof

If or \(\sigma = \uparrow \), the property holds trivially, so let us assume . We need to consider three cases:

• If , then \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \pi _R(\theta )\mathrel {{:}{:}} \theta _K, n, w \rangle \) and \(\mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) = w\).

  By Lemma 24, \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \pi _R(\theta ), C_2, [], \sigma ', \theta _K, n+2, w \rangle \).

  Now, fix a \(k \ge 0\).

  • If \(\langle \pi _R(\theta ), C_2, [], \sigma ', \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, k, w' \rangle \), then \(\mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ), k) = w'\). By Lemma 17, \(\langle \pi _R(\theta ), C_2, [], \sigma ', \theta _K, n+2, w \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, n+2 +k, w w' \rangle \), which implies \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, n+2 +k, w w' \rangle \), and so \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n+2 +k) = ww' = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ), k)\).

  • If there is no configuration \(\langle \theta '', C_2', K, \sigma '', \theta '_K, k, w' \rangle \) such that \(\langle \pi _R(\theta ), C_2, [], \sigma ', \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, k, w' \rangle \), then \(\mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ), k) = 0\). If we had \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, n+2 +k, w w' \rangle \), then, by determinacy of reduction, \(\langle \pi _R(\theta ), C_2, [], \sigma ', \theta _K, n+2, w \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, n+2 +k, w w' \rangle \). By Lemma 17 and Lemma 16 (which ensures \(w>0\)), \(\langle \pi _R(\theta ), C_2, [], \sigma ', \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, k, w' \rangle \), which contradicts the assumption. Hence, there is no configuration \(\langle \theta '', C_2', K, \sigma '', \theta '_K, n+2 +k, w w' \rangle \) such that \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta '', C_2', K, \sigma '', \theta '_K, n+2 +k, w w' \rangle \), and so \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n+2 +k) =0\).

  In either case, \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n+2+k) = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \cdot \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ), k)\) for all \(k \ge 0\). Thus, we have

  $$\begin{aligned} \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta )= & {} \lim _{n \rightarrow \infty } \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n)\\= & {} \lim _{k \rightarrow \infty } \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n+2+k)\\= & {} \lim _{k \rightarrow \infty } \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \cdot \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ), k)\\= & {} \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \lim _{k \rightarrow \infty } \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ), k)\\= & {} \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta )) \end{aligned}$$

• If , then \(\mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta )) = 0\), so \(RHS = 0\). Moreover, we have \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \tau , \theta _K', n , w \rangle \nvdash \). If , then and \(K = []\) (as the last rule applied must have been (condition-false)), so by Lemma 23, . Hence, \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n') = 0\) for all \(n' > n+1\), and so \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta ) = 0\).

• If \(\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) = \uparrow \), then \(RHS = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \) and for all k, we have \(\langle \pi _L(\theta ), C_1, [], \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C''_1, K, \sigma ', \pi _R(\theta )\mathrel {{:}{:}} \theta '_K, k, w \rangle \), where . Fix \(k \ge 0\). We have \(\mathbf {SC}_{C_1}^\sigma (\pi _L(\theta ), k) = w\) and by Lemma 25, \(\langle \theta , C_1;C_2, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C''_1, K @ [C_2], \sigma ', \theta '_K, k+1, w \rangle \), which implies \(\mathbf {SC}_{C_1;C_2}^\sigma (\theta , k+1) = w\). Hence, \(\mathbf {SC}_{C_1;C_2}^\sigma (\theta , k+1) = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta ), k) \).

  Thus,

  $$\begin{aligned} \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta )= & {} \lim _{n \rightarrow \infty } \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , n)\\= & {} \lim _{k \rightarrow \infty } \mathbf {SC}_{C_1;C_2}^{\sigma }(\theta , k+1)\\= & {} \lim _{k \rightarrow \infty } \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta ), k) \\= & {} \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \end{aligned}$$

  as required.

   \(\square \)

Restatement of Proposition 1. If \(C_1 \ne C_1'; C_2'\), then \(\mathbf {O}_{C_1;C_2}^{\sigma }(\theta ) = \mathbf {O}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ))\) and \(\mathbf {SC}_{C_1;C_2}^{\sigma }(\theta ) = \mathbf {SC}_{C_1}^\sigma (\pi _L(\theta )) \cdot \mathbf {SC}_{C_2}^{\mathbf {O}_{C_1}^\sigma (\pi _L(\theta )) }(\pi _R(\theta ))\)

Proof

This is a combination of Lemma 30 and Lemma 31.    \(\square \)

Proposition 1 is not applicable when \(C_1\) is not a sequence of statements, as we cannot know what part of the entropy \(\theta \) will be used in the evaluation of which expression without knowing the length of the statement list in \(C_1\). However, the above result can be generalised using finite shuffling functions, as defined by  [39].

Definition 30

([39]).

• A path is a function \([d_1, \dots , d_n] :\mathbb {S} -> \mathbb {S}\) parametrised by a list of directions \(d_1, \dots , d_n \in \{L, R\}\), such that \([d_1, \dots , d_n](\theta ) = (\pi _{d_1} \circ \dots \circ \pi _{d_n})(\theta )\).

• A finite shuffling function (FSF) is a function \(\phi :\mathbb {S} -> \mathbb {S}\) such that either \(\phi \) is a path or \(\phi (\theta ) = \phi _1(\theta ) \mathrel {{:}{:}} \phi _2(\theta )\), where \(\phi _1\) and \(\phi _2\) are FSFs.

• A sequence of paths is non-duplicating if no path in the sequence is a suffix of another path.

• A FSF \(\phi \) is non-duplicating if the sequence of all paths appearing in its definition is non-duplicating.

The following key result shows that entropy rearrangements via FSFs have no effect under integration:

Lemma 32

([39], Th. 7.6). Any non-duplicating FSF \(\phi \) is measure-preserving, i.e., for any measurable⁹ \(g :\mathbb {S} -> \overline{\mathbb {R}}_{+}\):

$$ \int g(\phi (\theta )) \, \mu (d\theta ) \ = \ \int g(\theta ) \, \mu (d\theta ). $$

We now have everything in place to define a version of Proposition 1 for an arbitrary split of a sequencing statement:

Proposition 2 (Sequencing for final states)

If \(C = C_1; C_2\), there exists a non-duplicating FSF \(\psi \) such that:

$$\mathbf {O}_C^\sigma (\theta ) = \mathbf {O}_{C_2}^{\tau }(\pi _R(\psi (\theta ))) \quad \text {and} \quad \mathbf {SC}_C^\sigma (\theta ) = \mathbf {SC}_{C_1}^\sigma (\pi _L(\psi (\theta ))) \cdot \mathbf {SC}_{C_2}^{\tau }(\pi _R(\psi (\theta ))) $$

with \(\tau \) denoting \(\mathbf {O}_{C_1}^\sigma (\pi _L(\psi (\theta )))\).

Proof

By induction on the structure of C.

• Base case: \(C_1 \ne C_1'; C_1''\): the equality holds trivially for \(\psi = Id \) by Lemma 30.

• Induction step: If \(C_1\) is a sequence of statements, then \(C_1 = C_1'; C_1''\) for some \(C_1'\) such that \(C_1' \ne \hat{C}_1' \hat{C}_1''\).

  We have:

  

  for some non-duplicating FSF \(\psi \).

  Thus, if \(\theta = \theta _1 \mathrel {{:}{:}} \theta _2\), then

  $$\mathbf {O}_{C_1'; C_1'';C_2}^\sigma ( \theta _1 \mathrel {{:}{:}} \theta _2)= \mathbf {O}_{C_2}^{ \mathbf {O}_{C_1''}^ {\mathbf {O}_{C_1'}^\sigma (\theta _1)}(\pi _L(\psi (\theta _2)))}(\pi _R(\psi (\theta _2)))$$

  Now, take \(\hat{\psi }\) such that \(\hat{\psi }(\theta _1 \mathrel {{:}{:}} \theta _2) = (\theta _1 \mathrel {{:}{:}} \pi _L(\psi (\theta _2))) \mathrel {{:}{:}} \pi _R(\psi (\theta _2))\).

  Then

  

  as required.

  For \(\mathbf {SC}\), we have:

  

  for the same \(\psi \). Thus, for \(\hat{\psi }\) defined above, we have:

  

  as required, where the equality (*) follows from Lemmas 30 and 31.

  Now we only need to show that \(\hat{\psi }\) is a non-duplicating FSF.

  First, let us show that \(\hat{\psi }\) is indeed a FSF. To this end, we need to show that if \(\psi \) is a FSF, then \(\psi '(\theta ) = \psi (\pi _R(\theta ))\) is also a FSF. We prove this by induction on the structure of \(\psi \):

  • Base case: if \(\psi \) is a path \([d_1, \dots , d_n]\), then \(\psi \circ \pi _R\) is the path \([d_1, \dots , d_n, R]\), so it is a FSF.

  • Induction step: Suppose that \(\psi (\theta ) = \psi _1(\theta ) \mathrel {{:}{:}} \psi _2(\theta )\) and that \(\psi _1 \circ \pi _R\) and \(\psi _2 \circ \pi _R\) are FSFs. Then we have \(\psi (\pi _R(\theta )) = \psi _1(\pi _R(\theta )) \mathrel {{:}{:}} \psi _2(\pi _R(\theta )) = (\psi _1 \circ \pi _R)(\theta ) \mathrel {{:}{:}} (\psi _2 \circ \pi _R)(\theta )\), so \(\psi \circ \pi _R\) is a FSF by definition.

  Now, we show that \(\psi ''(\theta ) = \pi _L(\psi (\pi _R(\theta ))) = \pi _L(\psi '(\theta ))\) is a FSF: if \(\psi '\) is a path \([d_1, \dots , d_n]\), then \(\psi ''\) is a path \([L, d_1, \dots , d_n]\), and if \(\psi ' = \psi '_1 \mathrel {{:}{:}} \psi '_2\), then \(\pi _L(\psi '(\theta )) = \pi _L(\psi '_1(\theta ) \mathrel {{:}{:}} \psi '_2(\theta )) = \psi '_1(\theta )\). Similarly, we can show that \( \pi _R(\psi (\pi _R(\theta )))\) is a FSF. Hence, \(\hat{\psi }\) is a FSF by definition.

  Finally, we need to show that \(\hat{\psi }\) is non-duplicating.

  We can show by a simple induction that for any \(\psi \), the set of paths \(\mathcal {P}_{\psi \circ \pi _R}\) in \(\psi \circ \pi _R\) is \(\{ pR\ |\ p \in \mathcal {P}_{\psi } \}\), where \(\mathcal {P}_{\psi }\) is the set of paths in \(\psi \) and juxtaposition denotes concatenation.

  If \(\psi \) is a path p, then \(\pi _L \circ \psi \circ \pi _R\) and \(\pi _R \circ \psi \circ \pi _R\) are paths LpR and RpR. Hence, the set of paths in \(\hat{\psi }\) is \(\{[L], LpR, RpR \}\). It is instantly clear that no path is a suffix of another, so \(\hat{\psi }\) is non-duplicating.

  If \(\psi (\theta ) = \psi _1(\theta ) \mathrel {{:}{:}} \psi _2(\theta )\), then \((\pi _L \circ \psi \circ \pi _R)(\theta ) = \pi _L(\psi _1(\pi _R(\theta )) \mathrel {{:}{:}} \psi _2(\pi _R(\theta ))) = \psi _1(\pi _R(\theta ))\), so the set of paths in \(\pi _L \circ \psi \circ \pi _R\) is \(\{pR\ |\ p \in \mathcal {P}_{\psi _1} \}\), where \(\mathcal {P}_{\psi _1} \) is the set of paths in \(\psi _1\). Similarly, the set of paths in \(\pi _R \circ \psi \circ \pi _R\) is \(\{pR\ |\ p \in \mathcal {P}_{\psi _2} \}\), where \(\mathcal {P}_{\psi _2} \) is the set of paths in \(\psi _2\). Since \(\mathcal {P}_{\psi } = \mathcal {P}_{\psi _1} \cup \mathcal {P}_{\psi _2} \), the set of paths in the entire definition of \(\hat{\psi }\) is \(\{ [L] \} \cup \{pR\ |\ p \in \mathcal {P}_{\psi } \}\). It is clear that [L] is not a suffix of any path of the form pR (as all such paths end with R). Moreover, if there were paths \(p_1, p_2 \in \mathcal {P}_{\psi }\) such that \(p_1R\) was a suffix of \(p_2R\), then \(p_1\) would be a suffix of \(p_2\), which would contradict the assumption.

  Hence, \(\hat{\psi }\) is non-duplicating, which ends the proof.

   \(\square \)

1.3 D.3 Approximating While-Loops

To simplify reasoning about \(\mathtt {while}\)-loops, it is useful—and common in program semantics—to consider finite approximations of loops in which the maximal number of iterations is bounded. To that end, we define the n-th unfolding of a guarded loop inductively as follows:

$$\begin{aligned} \mathtt {while}^0(\phi )\{C\}&\ = \,&\mathtt {diverge} \\ \mathtt {while}^{n+1}(\phi )\{C\}= & {} \mathtt {if}(\phi )\{C; \mathtt {while}^n(\phi )\{C\} \}. \end{aligned}$$

In the limit, bounded \(\mathtt {while}\)-loops behave as standard \(\mathtt {while}\)-loops. We use this result to define the evaluation of measurable function f on successful termination states of a \(\mathtt {while}\)-loop, scaled by its score as a limit of approximations. As we are interested in f on proper states, we use \(\hat{f}\) rather than f.

Proposition 3

Let loop \(C = \mathtt {while}(\phi )\{C'\}\) and \(C^n = \mathtt {while}^n(\phi )\{C'\}\) its n-th approximation. Then:

$$ \hat{f}(\mathbf {O}_{C}^\sigma (\theta )) \cdot \mathbf {SC}_{C}^\sigma (\theta ) \ = \ \sup _n \, \hat{f}( \mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta ). $$

The following monotonicity property is relevant later when proving the relationship between the operational semantics of PL and its denotational semantics. As before let \(C^n = \mathtt {while}^n(\phi )\{C'\}\).

Proposition 4

If , then \(\hat{f}(\mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta ) \ge \hat{f}(\mathbf {O}_{C^k}^\sigma (\theta )) \cdot \mathbf {SC}_{C^k}^\sigma (\theta )\).

Similarly, we want to show that the sequence \(\hat{f}(\mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta )\) approximates \(\check{f}(\mathbf {O}_{C}^\sigma (\theta )) \cdot \mathbf {SC}_{C}^\sigma (\theta )\). This result allows us to express the anticipated value of the function \(\hat{f}\) for a given fixed entropy as a limit of approximations, and by integrating both sides with respect to the measure on entropies we get that the expected value of \(\hat{f}\) can also be expressed as a limit of approximations. We will use this result in the proof of Theorem 2. Recall that \(\check{f}(\tau ) = 1\) for \(\tau = \ \uparrow \).

Proposition 5

Let loop \(C = \mathtt {while}(\phi )\{C'\}\) and \(C^n = \mathtt {while}(\phi )\{C'\}\) its n-th approximation. Take a function \(f \le 1\). Then

$$ \check{f}(\mathbf {O}_{C}^\sigma (\theta )) \cdot \mathbf {SC}_{C}^\sigma (\theta ) \ = \ \inf _n \, \check{f}( \mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta ). $$

Proposition 6

If \(n \ge k\) and \(f \le 1\), then

$$ \check{f}( \mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta ) \ \le \ \check{f}( \mathbf {O}_{C^k}^\sigma (\theta )) \cdot \mathbf {SC}_{C^k}^\sigma (\theta ). $$

The rest of this section is the proof of Propositions 3, 4, 5 and 6, which will be needed to prove the case of \(\mathtt {while}\)-loops in Theorem 1 and Theorem 2. The first key fact that we want to show is that for non-diverging executions, a bounded while-loop of the form \(\mathtt {while}^n(\phi )\{C\}\) behaves just like \(\mathtt {while}(\phi )\{C\}\) for a sufficiently large n. We formalise and prove it using two auxiliary relations on configurations.

Replacing \(\mathtt {while}(\phi )\) {C} with \(\mathtt {while}^{{\textit{\textbf{n}}}}(\phi )\) {C}. We first prove that in all non-divering configurations, if the expression is of the form \(\mathtt {while}(\phi )\{C\}\), we can replace it with \(\mathtt {while}^n(\phi )\{C\}\) for a large enough n, without changing the final configuration reached after reduction is completed. To this end, we first define an indexed relation \((\sim ^{n})\) on configurations. We begin with auxiliary relations \(C \sim ^{n} C'\) and \(K \sim ^{n} K'\), defined inductively as follows:

We then naturally extend the definition to configurations:

For \(n > 0\):

We can immediately check that if two configurations are related by \((\sim ^{n})\) for some \(n>0\), then if we perform one step of reductions on both of them, the resulting configurations are guaranteed to be related at least by \((\sim ^{n-1})\).

Lemma 33

\(\sim ^{n}\) is a stratified bisumulation—that is, \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \sim ^{0} \langle \theta ', C', K', \sigma ', \theta '_K, m', w' \rangle \) and for \(n>0\):

• if \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \sim ^{n} \langle \theta , C', K', \sigma , \theta _K, m, w \rangle \) and

  \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \vdash \langle \theta '', C'', K'', \sigma '', \theta ''_K, m+1, w'' \rangle \), then \(\langle \theta , C', K', \sigma , \theta _K, m, w \rangle \vdash \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+1, w'' \rangle \) and \(\langle \theta '', C'', K'', \sigma '', \theta ''_K, m+1, w'' \rangle \sim ^{n-1} \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+1, w'' \rangle \)

• if \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \sim ^{n} \langle \theta , C', K', \sigma , \theta _K, m, w \rangle \) and

  \(\langle \theta , C', K', \sigma , \theta _K, m, w \rangle \vdash \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+1, w'' \rangle \), then \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \vdash \langle \theta '', C'', K'', \sigma '', \theta ''_K, m+1, w'' \rangle \) and \(\langle \theta '', C'', K'', \sigma '', \theta ''_K, m+1, w'' \rangle \sim ^{n-1} \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+1, w'' \rangle \)

Proof

By inspection.    \(\square \)

This result naturally generalises to multi-step reduction.

Corollary 8

If \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \sim ^{n} \langle \theta , C', K', \sigma , \theta _K, m, w \rangle \) and \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \vdash ^{*} \langle \theta '', C'', K'', \sigma '', \theta ''_K, m+n', w'' \rangle \) and \(n' < n\) then \(\langle \theta , C', K', \sigma , \theta _K, m, w \rangle \vdash ^{*} \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+n', w'' \rangle \) and \(\langle \theta '', C'', K'', \sigma '', \theta ''_K, m+n', w'' \rangle \sim ^{n-n'} \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+n', w'' \rangle \) (and vice versa).

This leads us to the desired result for terminating runs.

Lemma 34

If \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n+n', w' \rangle \), then there exists k such that \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n+n', w' \rangle \).

Proof

Take \(k = n'+1\). We clearly have \(\mathtt {while}(\phi )\{C\} \sim ^{n'+1} \mathtt {while}^{n'+1}(\phi )\{C\}\), and so \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \sim ^{n'+1} \langle \theta , \mathtt {while}^{n'+1}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \). By Corollary 8, \(\langle \theta , \mathtt {while}^{n'+1}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta _K, n+n', w' \rangle \), where \(\mathord {\downarrow }\sim ^{1} C'\) and \([] \sim ^{1} K'\), which implies \(C'= \mathord {\downarrow }\) and \(K' = []\). Thus, the statement always holds for \(k = n'+1\).    \(\square \)

This result leads to the following statement about the \(\mathbf {O}_{C}^\sigma \) and \(\mathbf {SC}_{C}^\sigma \) functions:

Lemma 35

For each \(\phi \), C, \(\sigma \), \(\theta \), such that \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\) there is a k such that \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) and \( \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\)

Proof

If \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\), then by definition of \(\mathbf {O}\), . This implies \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \sigma '\) and \(\mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = w\). By Lemma 34, there is a k such that \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta '_K, n, w \rangle \). Thus, \(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \sigma '\) and \(\mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = w\).    \(\square \)

We can also show that if the evaluation of \(\mathtt {while}(\phi )\{C\}\) gets stuck, so does the evaluation of \(\mathtt {while}^k(\phi )\{C\}\) for large enough k.

Lemma 36

If \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', n+n', w' \rangle \nvdash \), then there exists k such that \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K', n+n', w' \rangle \nvdash \).

Proof

Again, take \(k = n'+1\). We have \(\mathtt {while}(\phi )\{C\} \sim ^{n'+1} \mathtt {while}^{n'+1}(\phi )\{C\}\), and so \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \sim ^{n'+1} \langle \theta , \mathtt {while}^{n'+1}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \). By Corollary 8, \(\langle \theta , \mathtt {while}^{n'+1}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \), where \(C' \sim ^{1} C''\) and \(K \sim ^{1} K'\). By case analysis on the derivation of \(C' \sim ^{1} C''\), and using the fact that K and \(K'\) must have the same length, we conclude that \(\langle \theta ', C', K, \sigma ', \theta _K', n+n', w' \rangle \) reduces if and only if \(\langle \theta ', C'', K', \sigma ', \theta _K', n+n', w' \rangle \) reduces.    \(\square \)

Replacing \(\mathtt {while}^{{\textit{\textbf{n}}}}(\phi )\) {C} with \(\mathtt {while}(\phi )\) {C}. We now prove the converse to the above result—that if \(\mathtt {while}^n(\phi )\{C\}\) evaluates with some entropy \(\theta \), the unbounded loop \(\mathtt {while}(\phi )\{C\}\) evaluates to the same configuration. We begin with another relation \(\unlhd \) on configurations, which effectively states that for two configurations \(\kappa _1\) and \(\kappa _2\), if \(\kappa _1 \unlhd \kappa _2\) and \(\kappa _1\) evaluates, then \(\kappa _2\) is guaranteed to evaluate to the same final configuration. This relation is defined inductively as follows:

Lemma 37

\(\unlhd \) is a simulation—that is, if \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \unlhd \langle \theta , C', K', \sigma , \theta _K, m, w \rangle \) and \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \vdash \langle \theta '', C'', K'', \sigma '', \theta ''_K, m+1, w'' \rangle \) and \(C \ne \mathtt {diverge}\), then \(\langle \theta , C', K', \sigma , \theta _K, m, w \rangle \vdash \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+1, w'' \rangle \) and \(\langle \theta '', C'', K'', \sigma '', \theta ''_K, m+1, w'' \rangle \unlhd \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+1, w'' \rangle \)

Proof

By case analysis on the reduction rules.    \(\square \)

Corollary 9

If \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \unlhd \langle \theta , C', K', \sigma , \theta _K, m, w \rangle \) and \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \vdash ^{*} \langle \theta '', C'', K'', \sigma '', \theta ''_K, m+n', w'' \rangle \) and \(C'' \ne \mathtt {diverge}\), then

\(\langle \theta , C', K', \sigma , \theta _K, m, w \rangle \vdash ^{*} \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+n', w'' \rangle \) and \(\langle \theta '', C'', K'', \sigma '', \theta ''_K, m+n', w'' \rangle \unlhd \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+n', w'' \rangle \)

We can now show the desired result for terminating reductions.

Lemma 38

If \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n+n', w' \rangle \), then

\(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n+n', w' \rangle \).

Proof

We have \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \unlhd \langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \), so by Corollary 9, \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta _K, n+n', w' \rangle \) where \(\mathord {\downarrow }\unlhd C'\) and \([] \unlhd K'\), which implies \(C' = \mathord {\downarrow }\) and \(K' = []\).    \(\square \)

If the evaluation of \(\mathtt {while}^k(\phi )\{C\}\) gets stuck, so does the evaluation of \(\mathtt {while}(\phi )\{C\}\).

Lemma 39

If \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash \langle \theta ', C', K', \sigma ', \theta _K', n', w' \rangle \) and \(\hat{C} \unlhd C\) and \( \hat{K} \unlhd K\), then \(\langle \theta , \hat{C}, \hat{K}, \sigma , \theta _K, n, w \rangle \vdash \langle \theta '', C'', K'', \sigma '', \theta _K'', n'', w'' \rangle \).

Proof

By case analysis on the derivation of \(\hat{C} \unlhd C\).    \(\square \)

Lemma 40

If \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', n+n', w' \rangle \nvdash \), then \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K', n+n', w' \rangle \nvdash \).

Proof

If \(C' \ne \texttt {diverge}\), then by Corollary 9, \(\langle \theta , \mathtt {while}(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \) where \(C' \unlhd C''\) and \(K \unlhd K'\). By Lemma 39, if \(\langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \) reduces, then \(\langle \theta ', C', K, \sigma ', \theta _K, n+n', w' \rangle \) also reduces, contradicting the assumption. Hence, \(\langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \nvdash \), as required.

If \(C' = \texttt {diverge}\), then , as otherwise \(\langle \theta ', \texttt {diverge}, K, \sigma ', \theta _K', n+n', w' \rangle \) would reduce by (diverge). However, is not derivable from any initial configuration other than itself. Hence, \(n' = 0\) and \(k=0\) and . Since no configuration with state reduces, we have , as required.    \(\square \)

Corollary 10

\(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) \ge \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) for all k.

Replacing One Bounded Loop with Another. We now prove that a bounded loop \(\mathtt {while}^k(\phi )\{C\}\) can be safely replaced by another bounded loop with a higher bound.

Lemma 41

If \(m \ge k\) and \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n+n', w' \rangle \), then \(\langle \theta , \mathtt {while}^m(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathord {\downarrow }, [], \sigma ', \theta _K, n+n', w' \rangle \)

Proof

We have \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \unlhd \langle \theta , \mathtt {while}^m(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \), so by Corollary 9, \(\langle \theta , \mathtt {while}^m(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K', \sigma ', \theta _K, n+n', w' \rangle \) where \(\mathord {\downarrow }\unlhd C'\) and \([] \unlhd K'\), which implies \(C' = \mathord {\downarrow }\) and \(K' = []\).    \(\square \)

We show the same property for reductions which get stuck.

Lemma 42

If \(m \ge k\) and \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', n+n', w' \rangle \nvdash \), then \(\langle \theta , \mathtt {while}^m(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K', n+n', w' \rangle \nvdash \).

Proof

If \(C' \ne \texttt {diverge}\), then by Corollary 9, \(\langle \theta , \mathtt {while}^m(\phi )\{C\}, [], \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \) where \(C' \unlhd C''\) and \(K \unlhd K'\). By Lemma 39, if \(\langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \) reduces, then \(\langle \theta ', C', K, \sigma ', \theta _K, n+n', w' \rangle \) also reduces, contradicting the assumption. Hence, \(\langle \theta ', C'', K', \sigma ', \theta _K, n+n', w' \rangle \nvdash \), as required.

If \(C' = \texttt {diverge}\), then , as otherwise \(\langle \theta ', \texttt {diverge}, K, \sigma ', \theta _K', n+n', w' \rangle \) would reduce by (diverge). However, is not derivable from any initial configuration other than itself. Hence, \(n' = 0\) and \(k=0\) and . Since no configuration with state reduces, we have , as required.    \(\square \)

The above results lead to the following properties of semantic functions:

Corollary 11

If \(n \ge k\), then \(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \ge \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) (w.r.t. flat CPO with bottom \(\uparrow \)).

Lemma 43

If \(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\) and \(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\), then \(\mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )\).

Proof

Assume w.l.o.g. that \(l \ge k\). Then the result follows directly from Lemma 41.    \(\square \)

Proofs of Propositions 3 and 4. Having shown the above properties of while-loop approximations, we are now ready to prove Propositions 3 and 4.

Restatement of Proposition 4. If \(n \ge k\), then \(\hat{f}(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ))\)\( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \ge \hat{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\).

Proof

(of Proposition 4). If or \(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \uparrow \), then \(RHS=0\), so the inequality holds trivially.

If \(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\), then by Corollary 11, \(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) = \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) \) and by Lemma 43, \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\). Hence, \(f(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) = f(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\)\( \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\).    \(\square \)

Restatement of Proposition 3. \(\hat{f}(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \sup _n \hat{f}( \mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )\).

Proof

(of Proposition 3). If \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) \notin {\varOmega }_{\sigma }\), then \(LHS = 0\). If \(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\) for some n, then we get a contradiction by Lemma 38, so we have \(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \notin {\varOmega }_{\sigma }\), which implies \(RHS=0\).

Now, assume that \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\). Then by Lemma 35, there exists k such that \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) and \( \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\).

By Corollary 11 we know that \(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta ) = \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) for all \(l \ge k\) and either \(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \mathbf {O}_{\mathtt {while}^{l'}(\phi )\{C\}}^\sigma (\theta )\) or \(\mathbf {O}_{\mathtt {while}^{l'}(\phi )\{C\}}^\sigma (\theta ) = \uparrow \) for all \(l' \le k\). Hence, for all l, either \(\hat{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) = \hat{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\) or \(\hat{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) = 0\).

By Lemma 43, for all l, either \(\mathbf {O}_{\mathtt {while}^{l}(\phi )\{C\}}^\sigma (\theta ) \notin {\varOmega }_{\sigma }\) or \(\mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\). Hence, for all l, either \(\hat{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta ) = \hat{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) or \(\hat{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta ) = 0\).

Thus, \(\sup _n \hat{f}( \mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) = \hat{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\)\( \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\), and so \(\hat{f}(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \sup _n \hat{f}( \mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \), as required.    \(\square \)

Proofs of Propositions 5 and 6. Finally, we prove Propositions 5 and 6, which are required by Theorem 2. One final additional result needed for these proofs is that \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \) and \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) \) (for any l) are decreasing as functions of n.

Lemma 44

If \(n \ge k\), then \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \le \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\).

Proof

If , then by Corollary 11. Hence, \(\mathbf {SC}_{\mathtt {while}^k(\phi )\{C\} }^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\} }^\sigma (\theta ) = 0\).

Now, suppose that . If there exists l such that \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathtt {diverge}, K, \tau , \theta _K', l , w \rangle \), then by Lemma 45, \(\langle \theta , \mathtt {while}^n(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C, K', \tau , \theta _K', l , w \rangle \) and \(\langle \theta ', \mathtt {diverge}, K, \tau , \theta _K', l , w \rangle \unlhd \langle \theta ', C, K', \tau , \theta _K', l , w \rangle \). Since \(\langle \theta ', \mathtt {diverge}, K, \tau , \theta _K', m , w \rangle \vdash \langle \theta ', \mathtt {diverge}, K, \tau , \theta _K', m+1 , w \rangle \), for all \(l' \ge l\), we have \(\mathbf {SC}_{\mathtt {while}^{l'}(\phi )\{C\} }^\sigma (\theta , l') = w\). For each \(l' \ge l\), we either have \(\langle \theta , \mathtt {while}^n(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C, K', \tau , \theta _K', l , w \rangle \vdash ^{*} \langle \theta '', C', K'', \tau ', \theta _K'', l' , w' \rangle \), where \(w' \le w'\) by Lemma 7, and so \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l') = w'\) or \(\mathtt {while}^n(\phi )\{C\}\) does not reduce in \(l'\) steps under \(\theta \), in which case \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l') = 0\). In either case, \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l') \le \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l')\) for all \(l' \ge l\), so the result holds by a property of the limit of a sequence.

If there exists no l such that \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathtt {diverge}, K, \tau , \theta _K', l , w \rangle \), then for all l, we have \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C, K, \tau , \theta _K', l , w \rangle \), where \(C \ne \mathtt {diverge}\). By Corollary 9, \(\langle \theta , \mathtt {while}^n(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K', \tau , \theta _K', l , w \rangle \) for some \(C'\), \(K'\), and so \(\mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l) = \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l)\) for all l, which implies \(\mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )\).    \(\square \)

Lemma 45

If \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \unlhd \langle \theta , C', K', \sigma , \theta _K, m, w \rangle \) and \(\langle \theta , C, K, \sigma , \theta _K, m, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta '', \mathtt {diverge}, K'', \sigma '', \theta ''_K, m+n', w'' \rangle \) then

\(\langle \theta , C', K', \sigma , \theta _K, m, w \rangle \vdash ^{*} \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+n', w'' \rangle \) and \(\langle \theta '', \mathtt {diverge}, K'', \sigma '', \theta ''_K, m+n', w'' \rangle \unlhd \langle \theta '', C''', K''', \sigma '', \theta ''_K, m+n', w'' \rangle \)

Proof

Follows from Corollary 9 and Lemma 37.    \(\square \)

Lemma 46

If \(n \ge k\), then for all l, \( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) \le \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l)\).

Proof

If \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', l', w \rangle \nvdash \) for some \(l' < l\), then \(\langle \theta , \mathtt {while}^n(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C'', K', \sigma ', \theta _K', l', w \rangle \nvdash \) by Lemma 42, and so \( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l) = 0\).

If \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', \mathtt {diverge}, K, \sigma ', \theta _K', l, w \rangle \), then \(\mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l) = w\) and there must exist a \(l' \le l\) such that \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathtt {diverge}, K, \sigma ', \theta _K', l', w \rangle \). Moreover, by Lemma 45, \(\langle \theta , \mathtt {while}^n(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C'', K', \tau , \theta _K', l' , w \rangle \) and \(\langle \theta ', \mathtt {diverge}, K, \tau , \theta _K', l' , w \rangle \unlhd \langle \theta ', C'', K', \tau , \theta _K', l', w \rangle \). If we have \(\langle \theta ', C'', K', \tau , \theta _K', l', w \rangle \vdash ^{*} \langle \theta '', C''', K'', \tau , \theta _K'', l, w' \rangle \), then \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) = w' \le w\) by Lemma 7. Otherwise, \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) = 0\). In either case, \( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) \le \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l) = 0\).

If \(\langle \theta , \mathtt {while}^k(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash ^{*} \langle \theta ', C', K, \sigma ', \theta _K', l, w \rangle \) and \(C' \ne \mathtt {diverge}\), then by Corollary 9, \(\langle \theta , \mathtt {while}^n(\phi )\{C\}, [], \sigma , \theta _K, 0, 1 \rangle \vdash \langle \theta ', C'', K', \tau , \theta _K', l , w \rangle \) and \(\langle \theta ', C', K, \tau , \theta _K', l , w \rangle \unlhd \langle \theta ', C'', K', \tau , \theta _K', l, w \rangle \). Thus, \( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) \le \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l) = w\).    \(\square \)

Restatement of Proposition 5. For all \(f \le 1\),

$$\check{f}(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \inf _n \check{f}( \mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )$$

Proof

(of Proposition 5). If \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) \in {\varOmega }_{\sigma }\), then by Lemma 35, there exists k such that \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\) and \( \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\). By similar reasoning as in the proof of Proposition 3, for all l, either \(\check{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) = \check{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\) or \(\check{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) = 1\), so \(\check{f}(\mathbf {O}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )) \ge \check{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\) for all l.

By Lemma 43, for all l, either \(\mathbf {O}_{\mathtt {while}^{l}(\phi )\{C\}}^\sigma (\theta ) \notin {\varOmega }_{\sigma }\) or \(\mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta ) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\). If \(\mathbf {O}_{\mathtt {while}^{l}(\phi )\{C\}}^\sigma (\theta ) \notin {\varOmega }_{\sigma }\), then \(l < k\) because of Corollary 11. Moreover, by Lemma 44, if \(l < k\), then \( \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) \le \mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )\). Hence, \( \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) \le \mathbf {SC}_{\mathtt {while}^l(\phi )\{C\}}^\sigma (\theta )\) for all l. This implies \(\inf _n \check{f}( \mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) = \check{f}( \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\)\( \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \check{f}(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )\).

If , then by Lemma 36, for some k. Thus, \(\inf _n \check{f}( \mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) = 0 = \check{f}(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )\).

If \(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \uparrow \), then \(\check{f}(\mathbf {O}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )) = 1\). By Lemma 10, \(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ) = \uparrow \) for all k. Since \(\check{f}(\uparrow ) = 1\), we only need to show that \(\mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta ) = \inf _n \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )\).

First, observe that from Corollary 8, it follows that for all l, for all \(k \ge l\), \(\mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta , l) = \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta , l)\). Thus, for such fixed l, \(\mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta , l) = \inf _n \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l)\). Hence,

$$\begin{aligned} \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta )= & {} \inf _l\ \mathbf {SC}_{\mathtt {while}(\phi )\{C\}}^\sigma (\theta , l) \\= & {} \inf _l\ \inf _n\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) \\= & {} \inf _n\ \inf _l\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) \\= & {} \inf _n\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \end{aligned}$$

In the equality \(\inf _l\ \inf _n\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) = \inf _n\ \inf _l\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l)\), we used the fact that \(\inf _l\ \inf _n\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) = \lim _{l -> \infty } \ \mathtt {lim}_{n -> \infty }\)\( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l)\) and that \(\mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l)\) is decreasing in both n and l, which means that by Theorem 4.2 from [14], \( \lim _{l -> \infty } \ \mathtt {lim}_{n -> \infty }\)\( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l) = \lim _{n-> \infty } \ \mathtt {lim}_{l -> \infty }\ \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta , l)\).    \(\square \)

Below, we write \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*}_{\mathtt {min}} \langle \theta ', \mathtt {diverge}, K', \sigma ', \theta '_K, n + n', w' \rangle \) if \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathtt {diverge}, K', \sigma ', \theta '_K, n + n', w' \rangle \) and there is no \(n'' < n'\) such that \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta '', \mathtt {diverge}, K'', \sigma '', \theta ''_K, n + n'', w'' \rangle \) (or, equivalently, \(\langle \theta , C, K, \sigma , \theta _K, n, w \rangle \vdash ^{*} \langle \theta ', \mathtt {diverge}, K', \sigma ', \theta '_K, n + n', w' \rangle \) was derived without (diverge)).

Restatement of Proposition 6. If \(n \ge k\) and \(f \le 1\), then

$$\check{f}(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \le \check{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ). $$

Proof

(of Proposition 6). By Corollary 11, \(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \ge \mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\). Since \(\check{f}\) is antitone (we have \(\check{f}(\tau ) \le \check{f}(\uparrow ) = 1\) for all \(\tau \ge \uparrow \)), this implies \(\check{f}(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \le \check{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta ))\). By Lemma 44, \( \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \le \)\( \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\), so \(\check{f}(\mathbf {O}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^n(\phi )\{C\}}^\sigma (\theta ) \le \)\( \check{f}(\mathbf {O}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )) \mathbf {SC}_{\mathtt {while}^k(\phi )\{C\}}^\sigma (\theta )\), as required.    \(\square \)

E Proofs of Theorems 1 and 2

Restatement of Theorem 1. For all measurable functions \(f :{\varOmega }_{\sigma }-> \overline{\mathbb {R}}_{+}\), PL programs C and initial states \(\sigma \in {\varOmega }_{\sigma }\):

$$ \mathtt {wp} [\![{ C }]\!](f)(\sigma ) \ = \ \int f(\tau ) [\![{C}]\!]_{\sigma }(d\tau ). $$

Proof

By Lemma 10, it suffices to prove that for all f:

$$ \int \hat{f}(\mathbf {O}_{C}^\sigma (\theta )) \cdot \mathbf {SC}_C^\sigma (\theta )\, \mu _{\mathbb {S}}(d\theta ) \ = \mathtt {wp} [\![{ C }]\!](f)(\sigma ). $$

This can be proven by induction on the structure of C. We refrain from treating all cases but restrict ourselves to some interesting cases:

• Case \(C = x :\approx U\).

  

• Case \(C = C_1; C_2\) with \(C_1 \ne C'_1; C'_2\).

  

  where \(\tau = \mathbf {O}_{C_1}^\sigma (\pi _L(\theta ))\) and \(\rho = \mathbf {O}_{C_1}^\sigma (\theta _L)\). We have:

  

• Case \(C = \mathtt {score}(E)\). By inspecting the reduction rules, it follows:

  

  which implies \(\hat{f}(\mathbf {O}_{ \mathtt {score}(E)}^\sigma (\theta )) \ = \ [\sigma (E) \in (0,1]] \cdot \hat{f}(\sigma )\) and

  $$ \mathbf {SC}_{ \mathtt {score}(E)}^\sigma (\theta ) \ = \ {\left\{ \begin{array}{ll} \sigma (E) &{} \text {if}\ \sigma (E) \in (0,1] \\ 0 &{} \text {otherwise} \\ \end{array}\right. } \ = \ [\sigma (E) \in (0,1]] \cdot \sigma (E). $$

  Thus, we have:

  

• Case \(C = \mathtt {while}(\phi )\{C'\}\). Let \(C^n = \mathtt {while}^n(\phi )\{C'\}\). We derive:

  

  When applying the Beppo Levi’s Theorem, we used the fact that the sequence \(\hat{f}( \mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta )\) is monotonic in n (Proposition 4). In order to show that the proof step \((*)\) is correct, we need to show:

  $$ \int \hat{f}(\mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^{\sigma }(\theta )\, \mu _{\mathbb {S}}(d\theta ) \ = \ {}^{\mathtt {wp}}_{\langle \phi , C' \rangle } {\varPhi }_f^n (0) (\sigma ) \text { for all } n. $$

  We prove this statement by induction on n, using Proposition 2:

  • Base case: \(n=0\):

    $$ \int \underbrace{\hat{f}(\mathbf {O}_{\mathtt {diverge}}^\sigma (\theta ))}_{=0} \cdot \underbrace{\mathbf {SC}_{\mathtt {diverge}}^{\sigma }(\theta )\, \mu _{\mathbb {S}}(d\theta )}_{=1} \ = \ 0 \ = \ {}^{\mathtt {wp}}_{\langle \phi , C' \rangle } {\varPhi }_f^0 (0) (\sigma ) $$

  • Induction step: we distinguish \(\sigma (\phi ) = \mathtt {true}\) and \(\sigma (\phi ) = \mathtt {false}\). For the latter case we have:

    $$ \int \hat{f}(\sigma ) \cdot 1\, \mu _{\mathbb {S}}(d\theta ) \ = \ f(\sigma ). $$

    For the case \(\sigma (\phi ) = \mathtt {true}\) we derive:

    

    where \(\tau = \mathbf {O}_{C'}^\sigma (\pi _L(\psi (\theta )))\) and \(\rho = \mathbf {O}_{C'}^\sigma (\pi _L(\theta ))\). Now let \(p(\tau ) = \int \hat{f}(\mathbf {O}_{C^n}^{\tau } (\theta _R)) \cdot \mathbf {SC}_{C^n}^{\tau } (\theta _R)\, \mu _{\mathbb {S}}(d\theta _R)\) for \(\tau \in {\varOmega }_{\sigma }\). Then:

    

Hence, the equality \((*)\) is correct, which finishes the proof.    \(\square \)

The second main theorem of this paper states that the weakest liberal preexpectation of a non-negative function f bounded by 1 is equivalent to the expected value of f with respect to the distribution defined by the operational semantics plus the probability of divergence weighted by scores.

Restatement of Theorem 2. For every measurable non-negative function \(f :{\varOmega }_{\sigma }-> \overline{\mathbb {R}}_{+}\) with \(f(\sigma ) \le 1\) for all states \(\sigma \), PL program C and initial state \(\sigma \in {\varOmega }_{\sigma }\):

$$ \mathtt {wlp} [\![{ C }]\!](f)(\sigma ) \ = \ \int f(\tau ) \cdot {[\![{C}]\!]_{\sigma }}|_{{\varOmega }_{\sigma }}(d\tau ) + \underbrace{\int [\mathbf {O}_C^{\sigma }(\theta ) =\ \uparrow ] \cdot \mathbf {SC}_C^{\sigma }(\theta ) \, \mu _{\mathbb {S}} (d\theta )}_{{\text {probability of divergence multiplied by the score}}}. $$

Proof

By induction on the structure of C. The proof is essentially the same as the proof of Theorem 1, except that in the case of \(\mathtt {while}\)-loops, we use Proposition 5 instead of Proposition 3 to show that the \(\mathtt {while}\)-loop can be replaced by the limit of its finite approximations.

Similarly to Theorem 1, the equation we want to prove can be rewritten as:

$$ \mathtt {wlp} [\![{ C }]\!](f)(\sigma ) \ = \ \int \check{f}(\mathbf {O}_{C}^\sigma (\theta )) \cdot \mathbf {SC}_{C}^\sigma (\theta )\, \mu _{\mathbb {S}}(d\theta ) $$

The proof goes as follows. Let \(C = \mathtt {while}(\phi )\{C'\}\) and \(C^n = \mathtt {while}^n(\phi )\{C'\}\).

In order to show that step \((*)\) is correct, we need to show that \(\int \check{f}( \mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta )\, \mu _{\mathbb {S}}(d\theta ) = \inf _n {}^{\mathtt {wlp}}_{\langle \phi , C' \rangle } {\varPhi }_f^n (1) (\sigma )\) for all n. This can be proven by induction on n; the proof is almost identical to the proof of \((*)\) from Theorem 1. When applying the Beppo Levi’s Theorem, we used the fact that the sequence \(\check{f}( \mathbf {O}_{C^n}^\sigma (\theta )) \cdot \mathbf {SC}_{C^n}^\sigma (\theta )\) is decreasing in n (Proposition 6) and that \(\int \check{f}(\mathbf {O}_{C^0}^\sigma (\theta )) \cdot \mathbf {SC}_{C^0}^\sigma (\theta )\, \mu _{\mathbb {S}}(d\theta ) < \infty \), which can be checked immediately.    \(\square \)

F Proving Measurability

The proofs of measurability are similar to [36], with the difference that we are working with an imperative language. In this section, we sketch the proofs of measurability of functions \(\mathbf {O}_C^\sigma (\cdot )\) and \(\mathbf {SC}_C^\sigma (\cdot , n)\), without going into the details, which are conceptually the same as in [36].

1.1 F.1 Measurability of Single-Step Reduction

Let us define:

We need to show that g is measurable. The only interesting cases are (assign), which modifies state (we need to show g is still continuous in this case) and (draw), which modifies both state and trace, and (seq) and (pop), which modify both the main trace and the trace for continuation.

We can show that g is measurable by considering g as a disjoint union of sub-functions defined on measurable subsets of combinations corresponding to given reduction rules (e.g. \(g_{ if-true }\) and \(g_{ if-false }\) reducing conditional choices, \(g_{ while-true }\) and \(g_{ while-false }\) reducing while-loops, \(g_{ sample }\) reducing sampling statements etc.) and showing that each sub-function is measurable. The reasoning is very similar to the one presented in Appendix E.1 of [36], so we omit the full proof and only show measurability of sub-functions modifying states and infinite traces, which were not present in [36].

From Continuity to Measurability. The easiest way of proving measurability of a function is often proving that this function is continuous as a function between the metric spaces which gave rise to the domain and codomain measurable spaces—by Corollary 2, continuity implies measurability. Moreover, Corollary 3 states that if a function f between products of separable metric spaces is continuous with respect to the Manhattan products of metrics, then it is measurable with respect to products of the given measurable spaces. We will make heavy use of these results in the proofs below.

Additional Borel \(\sigma \)-Algebras. In order to carry out the proofs, we need to define separable metric spaces on statements C, expressions E and continuations K, which will induce Borel \(\sigma \)-algebras. These metrics are straightforward metrics on syntactic terms, similar to the metrics on lambda-terms in [36]. We omit the details, but these metrics would be defined so that \(d_C(C_1;C_2, C_1';C_2') = d_C(C_1; C_1') + d_C(C_2; C_2')\) and \(d_K(C\mathrel {{:}{:}}K, C'\mathrel {{:}{:}}K') = d_C(C; C') + d_K(K, K')\) (where \(d_K(K, K') = \infty \) if K and \(K'\) have different lengths).

It is easy to check that all the above metric spaces are separable—for each of them, a dense subset can be obtained by replacing reals with rationals. All subspaces of separable metric spaces can also be shown to be separable.

We also need to define \(\sigma \)-algebras on step sizes n and weights w—these will be the standard discrete \(\sigma \)-algebra on \(\mathbb {Z}_{+}\) and the Borel \(\sigma \)-algebra on [0, 1], respectively.

Measurability of (assign). We define:

$$\begin{aligned} g_{ assign }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} (\theta , \mathord {\downarrow } ,K, \sigma [x \mapsto \sigma (E)], \theta _K, n+1, w ) \\= & {} (g_{ assign1 }(\theta , x := E ,K, \sigma , \theta _K, n, w ),\\&g_{ assign2 }(\theta , x := E ,K, \sigma , \theta _K, n, w ), \\&\dots ,\\&g_{ assign7 }(\theta , x := E ,K, \sigma , \theta _K, n, w )) \end{aligned}$$

where:

$$\begin{aligned} g_{ assign1 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \theta \\ g_{ assign2 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \mathord {\downarrow }\\ g_{ assign3 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} K \\ g_{ assign4 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \sigma [x \mapsto \sigma (E)] \\ g_{ assign5 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \theta _K \\ g_{ assign6 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} n+1\\ g_{ assign7 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} w \end{aligned}$$

Lemma 47

\(g_{ assign }\) is measurable.

Proof

The functions \(g_{ assign1 }\), \(g_{ assign3 }\), \(g_{ assign5 }\), \( g_{ assign7 }\) are simple projections, so they are trivially measurable. The function \( g_{ assign2 }\) is a constant function, so it is also measurable. Function \( g_{ assign4 }\) is a composition of a function returning the tuple \((x, \sigma , \sigma (E))\) from the configuration, which can easily be shown measurable (projections are measurable, the function extracting E from \(x:=E\) can be shown continuous and substitution \(\sigma (E)\) is measurable by assumption), and the state update function, which is measurable by Lemma 14. Function \( g_{ assign6 }\) is a composition of a projection (returning the sixth component n from a tuple) and a function adding 1 to a number, which is continuous and measurable.

Hence, \( g_{ assign }\) is measurable, as all its components are measurable.    \(\square \)

Measurability of (draw). Let us define:

$$\begin{aligned} g_{ draw }((\theta , x :\approx U ,K, \sigma , \theta _K, n, w ))= & {} (\pi _R(\theta ), \mathord {\downarrow } ,K, \sigma [x \mapsto \pi _U(\pi _L(\theta ))], \theta _K, n+1, w ) \\= & {} (g_{ draw1 }(\theta , x := E ,K, \sigma , \theta _K, n, w ),\\&g_{ draw2 }(\theta , x := E ,K, \sigma , \theta _K, n, w ), \\&\dots ,\\&g_{ draw7 }(\theta , x := E ,K, \sigma , \theta _K, n, w )) \end{aligned}$$

where:

$$\begin{aligned} g_{ draw1 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \pi _R(\theta ) \\ g_{ draw2 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \mathord {\downarrow }\\ g_{ draw3 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} K \\ g_{ draw4 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \sigma [x \mapsto \pi _U(\pi _L(\theta ))] \\ g_{ draw3 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} \theta _K \\ g_{ draw6 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} n+1\\ g_{ draw7 }(\theta , x := E ,K, \sigma , \theta _K, n, w )= & {} w\\ \end{aligned}$$

Lemma 48

\(g_{ assign }\) is measurable.

Proof

We only need to show the measurability of \( g_{ draw1 }\) and \( g_{ draw4 }\), as the other functions are identical to the ones used in the definition of \(g_{ assign }\).

The function \( g_{ draw1 }\) is a composition of the projection returning the first component \(\theta \) of the configuration, and the function \(\pi _R\), which is measurable by the axiomatisation of the entropy space, so it is measurable.

Function \( g_{ draw4 }\) is measurable by the same argument as \( g_{ assign4 }\), except that the measurable evaluation \(\sigma (E)\) is replaced by \(\pi _U(\pi _L(\theta ))\), which as a composition of two measurable (by assumption) functions and the measurable projection returning \(\theta \) is also measurable.    \(\square \)

Measurability of (seq) and (pop). Define:

$$\begin{aligned} g_{ seq }((\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w ))= & {} (\pi _L(\theta ), C_1 ,C_2 \mathrel {{:}{:}} K, \sigma , \pi _R(\theta ) \mathrel {{:}{:}} \theta _K, n+1, w ) \\= & {} (g_{ seq1 }(\theta , x := E ,K, \sigma , \theta _K, n, w ),\\&g_{ seq2 }(\theta , x := E ,K, \sigma , \theta _K, n, w ), \\&\dots ,\\&g_{ seq7 }(\theta , x := E ,K, \sigma , \theta _K, n, w )) \end{aligned}$$

where:

$$\begin{aligned} g_{ seq1 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} \pi _L(\theta ) \\ g_{ seq2 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} C_1 \\ g_{ seq3 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} C_2 \mathrel {{:}{:}} K \\ g_{ seq4 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} \sigma \\ g_{ seq5 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} \pi _R(\theta ) \mathrel {{:}{:}} \theta _K \\ g_{ seq6 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} n+1\\ g_{ seq7 }(\theta , C_1;C_2 ,K, \sigma , \theta _K, n, w )= & {} w\\ \end{aligned}$$

Lemma 49

\(g_{ seq }\) is measurable.

Proof

The function \( g_{ seq1 }\) is measurable as a composition of projection and a function measurable by assumption. The metrics \(d_C\) and \(d_K\) on statements and continuations (whose formal definitions are omitted) satisfy \(d_C(C_1;C_2, C_1';C_2') = d_C(C_1; C_1') + d_C(C_2; C_2')\) and \(d_K(C\mathrel {{:}{:}}K, C'\mathrel {{:}{:}}K') = d_C(C; C') + d_K(K, K')\), which makes it easy to show that \(g_{ seq2 }\) and \(g_{ seq3 }\) are measurable, as compositions of projections and continuous functions. Meanwhile, \(g_{ seq5 }\) is composed from measurable projections and the functions \(\pi _R\) and \((\mathrel {{:}{:}})\), measurable by assumption, so it is measurable.    \(\square \)

The proof of measurability of (pop) is analogous.

1.2 F.2 Measurability of \(\mathbf {O}_C^{\sigma }(\cdot ) \) and \(\mathbf {SC}_C^{\sigma }(\cdot , n) \)

Once we have proven the measurability of state updates, the proof of Lemma 9 (measurability of \(\mathbf {O}_C^{\sigma }(\cdot ) \)) is analogous to the proof of Lemma 92 in [5].

The proof of measurability of \(\mathbf {SC}_C^{\sigma }(\cdot , n)\) is even simpler—for each fixed n, we can represent \(\mathbf {SC}_C^{\sigma }(\cdot , n)\) as an n-fold composition of g, followed by a projection returning the weight w from the configuration. The projection is obviously continuous, and so measurable. Since a composition of measurable functions is measurable, this shows that \(\mathbf {SC}_C^{\sigma }(\cdot , n)\) is measurable.